December 4, 2024 at 12:45AM
A critical vulnerability (CVE-2024-10905) in SailPoint’s IdentityIQ software allows unauthorized access to application directory content, with a CVSS score of 10.0. Affected versions include 8.2, 8.3, and 8.4, along with their respective patch levels. No security advisory from SailPoint has been released yet.
**Meeting Takeaways – December 4, 2024**
1. **Vulnerability Disclosed**: A critical vulnerability (CVE-2024-10905) has been identified in SailPoint’s IdentityIQ software, impacting unauthorized access to content in its application directory.
2. **Severity Rating**: The vulnerability has a CVSS score of **10.0**, indicating maximum severity.
3. **Affected Versions**:
– IdentityIQ versions **8.2, 8.3, and 8.4** are affected, including:
– **8.4 and all patch levels prior to 8.4p2**
– **8.3 and all patch levels prior to 8.3p5**
– **8.2 and all patch levels prior to 8.2p8**
– **All prior versions** before 8.2.
4. **Nature of the Vulnerability**: It is categorized as improper handling of file names (CWE-66), which could enable access to restricted files.
5. **Current Status**: As of now, there are no additional details from SailPoint regarding the vulnerability, and no security advisory has been released.
6. **Follow-up**: The Hacker News has reached out to SailPoint for comments and will provide updates as they become available.
**Next Steps**: Monitor for updates from SailPoint and assess the impact of this vulnerability on current systems using IdentityIQ.