CRITICAL🇵🇱 Wersja polska

CVE-2024-10905

CVSS 10.0v3.1pub. 2024-12-02upd. 2025-11-12

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.

🤖 AI Analysis
How it works

The IdentityIQ application improperly secures access to static resources in its application directory. An attacker can send HTTP or HTTPS requests directly to protected static files without authentication. Access control mechanisms are not enforced for this category of resources, resulting in their unrestricted accessibility from the network (CWE-66: improper handling of file names).

Impact

An attacker can gain unauthorized access to protected static resources of the application, which may lead to disclosure of sensitive data, compromise of environment integrity, and potential disruption of identity management system availability.

Mitigation & patch

SailPoint IdentityIQ should be updated to version 8.4p2, 8.3p5, or 8.2p8 (depending on the branch in use). Details are available in the official security advisory from the vendor: https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905

Who is affected

SailPoint IdentityIQ 8.4 and all patch levels prior to 8.4p2; IdentityIQ 8.3 and all patch levels prior to 8.3p5; IdentityIQ 8.2 and all patch levels prior to 8.2p8; all previous versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Sailpoint Identityiq

    APP
    Sailpoint
    8.28.38.4< 8.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-2227CRITICAL10.0PL ✓ten sam produkt

Path Traversal w SailPoint IdentityIQ — dostęp do dowolnych plików serwera

CVE-2023-32217CRITICAL9.0ten sam produkt

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6...

CVE-2026-5712HIGH8.0ten sam produkt

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the request...

CVE-2025-10280HIGH7.1ten sam produkt

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch level...

CVE-2024-2228HIGH7.1ten sam produkt

This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a t...