CVE-2024-10905
Vulnerability from cvelistv5
Published
2024-12-02 14:49
Modified
2025-01-06 17:42
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
References
psirt@sailpoint.comhttps://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905
Impacted products
Vendor Product Version
SailPoint Technologies IdentityIQ Version: 8.2   
Version: 8.3   
Version: 8.4   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "identityiq",
            "vendor": "sailpoint",
            "versions": [
              {
                "lessThan": "8.2p8",
                "status": "affected",
                "version": "8.2",
                "versionType": "semver"
              },
              {
                "lessThan": "8.3p5",
                "status": "affected",
                "version": "8.3",
                "versionType": "semver"
              },
              {
                "lessThan": "8.4p2",
                "status": "affected",
                "version": "8.4",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-03T04:55:24.996838Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-06T17:42:22.215Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "IdentityIQ",
          "vendor": "SailPoint Technologies",
          "versions": [
            {
              "lessThan": "8.2p8",
              "status": "affected",
              "version": "8.2",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3p5",
              "status": "affected",
              "version": "8.3",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4p2",
              "status": "affected",
              "version": "8.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-66",
              "description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-06T17:57:12.682Z",
        "orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
        "shortName": "SailPoint"
      },
      "references": [
        {
          "url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
            }
          ],
          "value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
    "assignerShortName": "SailPoint",
    "cveId": "CVE-2024-10905",
    "datePublished": "2024-12-02T14:49:51.199Z",
    "dateReserved": "2024-11-05T20:21:47.258Z",
    "dateUpdated": "2025-01-06T17:42:22.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-10905\",\"sourceIdentifier\":\"psirt@sailpoint.com\",\"published\":\"2024-12-02T15:15:10.240\",\"lastModified\":\"2024-12-06T18:15:22.207\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected.\"},{\"lang\":\"es\",\"value\":\"IdentityIQ 8.4 y todos los niveles de parche 8.4 anteriores a 8.4p2, IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p5, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p8, y todas las versiones anteriores permiten el acceso HTTP a contenido est\u00e1tico en el directorio de la aplicaci\u00f3n IdentityIQ que debe estar protegido.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@sailpoint.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"psirt@sailpoint.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-66\"}]}],\"references\":[{\"url\":\"https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905\",\"source\":\"psirt@sailpoint.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-10905\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-03T04:55:24.996838Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*\"], \"vendor\": \"sailpoint\", \"product\": \"identityiq\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.2\", \"lessThan\": \"8.2p8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.3\", \"lessThan\": \"8.3p5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.4\", \"lessThan\": \"8.4p2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-02T15:26:13.287Z\"}}], \"cna\": {\"title\": \"IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-1\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SailPoint Technologies\", \"product\": \"IdentityIQ\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.2\", \"lessThan\": \"8.2p8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.3\", \"lessThan\": \"8.3p5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"8.4\", \"lessThan\": \"8.4p2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\\\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\\u00a0allow HTTP/HTTPS access to\\u00a0static content in the IdentityIQ application directory that should be protected.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003e\u003cbr\u003e\u003c/span\u003e\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-66\", \"description\": \"CWE-66: Improper Handling of File Names that Identify Virtual Resources\"}]}], \"providerMetadata\": {\"orgId\": \"2cfc7547-56a0-4049-8b52-c3078e8a8719\", \"shortName\": \"SailPoint\", \"dateUpdated\": \"2024-12-06T17:57:12.682Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-10905\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-06T17:42:22.215Z\", \"dateReserved\": \"2024-11-05T20:21:47.258Z\", \"assignerOrgId\": \"2cfc7547-56a0-4049-8b52-c3078e8a8719\", \"datePublished\": \"2024-12-02T14:49:51.199Z\", \"assignerShortName\": \"SailPoint\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.