CVE-2024-10905 (CVSS 10): Critical Vulnerability in SailPoint IdentityIQ Exposes Sensitive Data

CVE-2024-10905

A critical vulnerability has been discovered in SailPoint IdentityIQ, a widely used identity and access management (IAM) platform. This flaw, tracked as CVE-2024-10905, has been assigned a CVSS score of 10.0, the highest possible severity rating, indicating that it is easy to exploit and could have a significant impact on affected organizations.

Improper Access Control Leads to Data Exposure

The vulnerability stems from improper access controls within IdentityIQ. Attackers can exploit this weakness to gain unauthorized access to static content within the application directory. This could include sensitive configuration files, application code, and potentially even user data.

Affected Versions

The vulnerability affects a wide range of IdentityIQ versions, including:

  • IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2
  • IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5
  • IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8
  • All previous versions of IdentityIQ

Urgent Action Required

SailPoint has released e-fixes to address this vulnerability for all supported versions of IdentityIQ. Organizations using any of the affected versions are strongly urged to apply these patches immediately. Future patch levels will also include the necessary fixes.

Related Posts: