A severe security flaw has been discovered in SailPoint's IdentityIQ software that could allow attackers to access protected files without authorization. The vulnerability received the highest possible severity rating with a CVSS score of 10.0.
The security issue, identified as CVE-2024-10905, affects multiple versions of the identity and access management (IAM) platform, including versions 8.2, 8.3, 8.4, and earlier releases.
At its core, the vulnerability stems from improper handling of file names that identify virtual resources within the application. The flaw enables HTTP access to static content in the IdentityIQ application directory that should remain protected from unauthorized users.
Security researchers have classified this as a file handling vulnerability that could potentially allow malicious actors to read sensitive files that should be inaccessible under normal circumstances.
The following versions are known to be vulnerable:
- Version 8.4 and all patch levels before 8.4p2
- Version 8.3 and all patch levels before 8.3p5
- Version 8.2 and all patch levels before 8.2p8
- All previous versions
While the full technical details of the vulnerability have not been publicly disclosed, organizations using affected versions of IdentityIQ should monitor for updates from SailPoint. The company has not yet released an official security advisory addressing this high-risk vulnerability.
Given the widespread use of IdentityIQ in managing user identities and access permissions across organizations, this security flaw presents a notable risk that requires immediate attention from system administrators.