Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-10905
CVE-2024-10905:
SailPoint IdentityIQ vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2024-10905) has been discovered in SailPoint's IdentityIQ identity and access management (IAM) platform. The vulnerability affects IdentityIQ versions 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions. The flaw allows unauthorized HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected (SailPoint Advisory, SecurityWeek).
Technical details
The vulnerability is classified as an improper handling of file names that identify virtual resources (CWE-66) and has been assigned a CVSS v3.1 score of 10.0 (Critical), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. This indicates the highest possible severity rating, suggesting that the vulnerability is easy to exploit and could have significant impact (Hacker News, SecurityWeek).
Impact
The vulnerability essentially functions as a directory traversal flaw that could allow attackers to access restricted files within the application directory. This could potentially lead to the exposure of sensitive configuration files, application code, and user data. The critical CVSS score of 10.0 indicates maximum potential impact on confidentiality, integrity, and availability of the system (SecurityWeek).
Mitigation and workarounds
SailPoint has released e-fixes for all affected and supported versions of IdentityIQ. The company plans to include these fixes in future patch levels for each release. Organizations using affected versions are strongly urged to apply these patches immediately (SailPoint Advisory, Hacker News).
Community reactions
In response to the vulnerability disclosure, SailPoint CISO Rex Booth emphasized the company's commitment to transparency and security, stating that publishing CVEs is a voluntary practice demonstrating dedication to security. He further noted that finding and remediating vulnerabilities is a sign of a mature security program (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management