CVE-2023-32217: 
SailPoint IdentityIQ vulnerability analysis and mitigation

CVE-2023-32217 is a security vulnerability discovered in SailPoint's IdentityIQ software that affects multiple versions including IdentityIQ 8.3, 8.2, 8.1, and 8.0 and their respective patch levels. The vulnerability was disclosed on May 31, 2023, and allows an authenticated user to invoke Java constructors in any Java class available in the IdentityIQ application classpath (Vendor Advisory).

The vulnerability is classified as an Unsafe use of Reflection vulnerability (CWE-470) that enables authenticated users to invoke either a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath. The vulnerability has received a CVSS v3.1 Base Score of 8.8 HIGH (NIST) and 9.0 CRITICAL (SailPoint), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability poses significant security risks as it could potentially lead to high impacts on confidentiality, integrity, and availability of the affected systems. The CVSS scoring indicates that successful exploitation could result in a complete compromise of system security (NVD).

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. The fixed versions include 8.3p3, 8.2p6, 8.1p7, and 8.0p6. Users are advised to update to these patched versions to mitigate the vulnerability (Vendor Advisory).