SailPoint reports critical vulnerability in IdentityIQ IAM platform
Take action: If you are running IdentityIQ IAM platform, time for a patch - ASAP. Even though exploit details are not available, the maximum severity score means that a lot of people will try things out. The proverbial cat will be out of the bag soon, and hackers will start exploiting the flaw. Don't wait for the cat.
Learn More
SailPoint has disclosed a critical security vulnerability in their IdentityIQ identity and access management (IAM) software platform.
The vulnerability is tracked as CVE-2024-10905 (CVSS score 10.0) and allows unauthorized HTTP access to static content within the IdentityIQ application directory that should be protected, potentially exposing sensitive information and resources. The vulnerability has been classified as an improper handling of file names that identify virtual resources.
- IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2
- IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5
- IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8
- All previous versions of IdentityIQ
SailPoint has addressed this vulnerability by releasing e-fixes for all impacted and supported versions of IdentityIQ. The company has confirmed that future patch levels will include these security fixes once they become available.
Users are strongly advised to update to the following patched versions: 8.4p2, 8.3p5, or 8.2p8, depending on their current installation.
Currently, there are no reported instances of this vulnerability being exploited in the wild.
