CVE-2024-1714: 
SailPoint IdentityIQ vulnerability analysis and mitigation

A vulnerability exists in all supported versions of IdentityIQ Lifecycle Manager that can be triggered when an authenticated user requests an entitlement containing leading or trailing whitespace in an access request. The vulnerability was discovered and disclosed on February 21, 2024, and affects all supported versions of SailPoint IdentityIQ (SailPoint Advisory).

The vulnerability is classified as an Improper Input Validation (CWE-20) issue. It has been assigned a CVSS v3.1 score of 7.1 (HIGH), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L. This indicates that the vulnerability requires network access, has high attack complexity, needs low privileges, requires user interaction, and can result in high confidentiality impact with low integrity and availability impacts (NVD Database).

The vulnerability affects multiple versions of IdentityIQ including 8.4 (prior to 8.4p1), 8.3 (prior to 8.3p4), 8.1 (prior to 8.1p7), 8.2 (prior to 8.2p7), and all previous versions. The high CVSS score indicates significant potential impact, particularly regarding confidentiality (SailPoint Advisory).

SailPoint has released e-fixes for each impacted and supported version of IdentityIQ. Future patch levels will include these fixes. Organizations are advised to apply the appropriate patches: 8.4p1 for version 8.4, 8.3p4 for version 8.3, 8.1p7 for version 8.1, and 8.2p7 for version 8.2 (SailPoint Advisory).