CVE-2022-45435: 
SailPoint IdentityIQ vulnerability analysis and mitigation

The vulnerability (CVE-2022-45435) affects SailPoint's IdentityIQ software, discovered and disclosed on January 31, 2023. It impacts multiple versions of IdentityIQ including 8.3 (prior to 8.3p2), 8.2 (prior to 8.2p5), 8.1 (prior to 8.1p7), 8.0 (prior to 8.0p6), and all previous versions. The vulnerability allows authenticated users with Identity Administrator capability or custom capability containing SetIdentityForwarding right to modify work item forwarding configurations beyond their intended permissions (Vendor Advisory).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863). It received a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N. The scoring indicates that the vulnerability is network accessible, requires low privileges but high attack complexity, needs no user interaction, has unchanged scope, and can impact both confidentiality and integrity but not availability (Vendor Advisory).

The vulnerability allows unauthorized modification of work item forwarding configurations, potentially compromising the integrity of identity management workflows. This could lead to unauthorized access to sensitive information and potential manipulation of identity management processes (Vendor Advisory).

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Users are advised to upgrade to the following patch versions: 8.3p2 or later for IdentityIQ 8.3, 8.2p5 or later for IdentityIQ 8.2, 8.1p7 or later for IdentityIQ 8.1, and 8.0p6 or later for IdentityIQ 8.0 (Vendor Advisory).