CVE-2022-46835: 
SailPoint IdentityIQ vulnerability analysis and mitigation

CVE-2022-46835 is a path traversal vulnerability affecting SailPoint's IdentityIQ software. The vulnerability was discovered in multiple versions of IdentityIQ (8.0, 8.1, 8.2, and 8.3) and their respective patch levels, allowing unauthorized access to arbitrary files in the application server filesystem. This vulnerability is related to a known issue in JavaServer Faces (JSF) 2.2.20 previously documented in CVE-2020-6950. The vulnerability was published on January 31, 2023 (NVD).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability, identified as CWE-22. It received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H according to SailPoint Technologies, while the NVD assessment rated it at 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Vendor Advisory).

The vulnerability allows attackers to access arbitrary files in the application server filesystem, potentially leading to unauthorized access to sensitive information and system files. The high CVSS score indicates significant potential impact on system confidentiality and integrity (NVD).

SailPoint has released an e-fix to address this vulnerability across all impacted versions of IdentityIQ. The fix is included in IdentityIQ versions 8.3p2, 8.2p5, 8.1p7, and 8.0p6. Organizations are advised to upgrade to these patched versions or apply the available e-fix (Vendor Advisory).