CRITICAL🇵🇱 Wersja polska

CVE-2024-2227

CVSS 10.0v3.1pub. 2024-03-22upd. 2025-11-12

This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.

🤖 AI Analysis
How it works

The vulnerability results from a path traversal flaw present in the JavaServer Faces (JSF) 2.2.20 library, originally documented in CVE-2020-6950. SailPoint issued earlier patches in May 2021 (ETN IIQSAW-3585) and in January 2024 (IIQFW-336), however CVE-2024-2227 indicates the need for additional changes as part of the remediation. An attacker, without any authentication, can craft an HTTP request containing path traversal sequences to escape the allowed application directory and read server system files.

Impact

An attacker can gain unauthorized access to arbitrary operating system files on the server, which may lead to disclosure of sensitive configuration data, credentials, private keys, or other sensitive information. Due to the scope of the vulnerability (high scores for confidentiality, integrity, and availability in CVSS), the impact may include complete takeover of control over the application environment.

Mitigation & patch

Patches available from the vendor should be applied according to the references (https://www.sailpoint.com/security-advisories/). The patch complements earlier remediation measures IIQSAW-3585 (May 2021) and IIQFW-336 (January 2024) and should be installed immediately.

Who is affected

SailPoint IdentityIQ — versions indicated in vendor references (SailPoint Security Advisories)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Sailpoint Identityiq

    APP
    Sailpoint
    8.18.28.38.4< 8.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2024-10905CRITICAL10.0PL ✓ten sam produkt

SailPoint IdentityIQ — nieautoryzowany dostęp do chronionych zasobów statycznych

CVE-2023-32217CRITICAL9.0ten sam produkt

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6...

CVE-2026-5712HIGH8.0ten sam produkt

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the request...

CVE-2025-10280HIGH7.1ten sam produkt

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch level...

CVE-2024-2228HIGH7.1ten sam produkt

This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a t...