CVE-2024-2227: 
SailPoint IdentityIQ vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-2227) was discovered in JavaServer Faces (JSF) 2.2.20 affecting SailPoint IdentityIQ. This vulnerability allows access to arbitrary files in the application server file system. The issue is related to a previous vulnerability (CVE-2020-6950) and builds upon previous remediation efforts from May 2021 (tracked by ETN IIQSAW-3585) and January 2024 (tracked by IIQFW-336) (NVD).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 Base Score of 10.0, indicating the highest level of severity. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which suggests the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows attackers to access arbitrary files in the application server file system, potentially exposing sensitive information and compromising system security. Given the critical CVSS score of 10.0, this vulnerability represents a severe risk to affected systems with potential for complete system compromise (NVD).

SailPoint has released security fixes to address this vulnerability. The remediation includes additional changes to previous fixes implemented in May 2021 and January 2024. Organizations using affected versions of IdentityIQ should apply the latest security updates (SailPoint Advisories).