CVE-2024-10905

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sailpoint:identityiq::::::::
	cpe:2.3:a:sailpoint:identityiq:8.2:-::::::
	cpe:2.3:a:sailpoint:identityiq:8.2:patch1::::::
	cpe:2.3:a:sailpoint:identityiq:8.2:patch2::::::
	cpe:2.3:a:sailpoint:identityiq:8.2:patch4::::::
	cpe:2.3:a:sailpoint:identityiq:8.2:patch5::::::
	cpe:2.3:a:sailpoint:identityiq:8.2:patch7::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:-::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch1::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch2::::::
	cpe:2.3:a:sailpoint:identityiq:8.3:patch4::::::
	cpe:2.3:a:sailpoint:identityiq:8.4:-::::::
	cpe:2.3:a:sailpoint:identityiq:8.4:patch1::::::

History

No history.

Information

Published : 2024-12-02 15:15

Updated : 2025-11-12 15:49

NVD link : CVE-2024-10905

Mitre link : CVE-2024-10905

CVE.ORG link : CVE-2024-10905

JSON object : View

Products Affected

sailpoint

identityiq

CWE

CWE-66

Improper Handling of File Names that Identify Virtual Resources

{"id": "CVE-2024-10905", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@sailpoint.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-12-02T15:15:10.240", "references": [{"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905", "tags": ["Vendor Advisory"], "source": "psirt@sailpoint.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@sailpoint.com", "description": [{"lang": "en", "value": "CWE-66"}]}], "descriptions": [{"lang": "en", "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."}, {"lang": "es", "value": "IdentityIQ 8.4 y todos los niveles de parche 8.4 anteriores a 8.4p2, IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p5, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p8, y todas las versiones anteriores permiten el acceso HTTP a contenido est\u00e1tico en el directorio de la aplicaci\u00f3n IdentityIQ que debe estar protegido."}], "lastModified": "2025-11-12T15:49:07.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A31EEA4-6703-4B64-AAD4-A9FCA993C156", "versionEndExcluding": "8.2"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBDD484D-BF0D-4246-9701-0BF3DD2194E4"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DC90C12-F7B6-4CF1-9B7D-A329E8BE79EC"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A2FD228-E6DB-49E3-BE3E-1BF9B0434FC0"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0652D99D-DC1E-4E22-8E7D-AE080494C50B"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F"}, {"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4ECFADA6-BB7B-4228-9434-B92B2FF21481"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@sailpoint.com"}