December 6, 2024 at 12:55AM
SailPoint warned of a critical vulnerability (CVE-2024-10905) in its IdentityIQ IAM platform that allows unauthorized access to files due to improper access control. Affected versions have a CVSS score of 10/10. E-fixes are available, and users are urged to update promptly to prevent potential data compromise.
**Meeting Takeaways: SailPoint IdentityIQ Vulnerability Alert**
1. **Critical Vulnerability Identified**: SailPoint has reported a critical-severity vulnerability (CVE-2024-10905) in its IdentityIQ IAM platform, allowing unauthorized access to restricted files.
2. **Details of the Vulnerability**:
– **CVSS Score**: 10/10, indicating high severity.
– **Type**: Improper access control flaw, specifically a directory traversal vulnerability.
– **Affected Versions**: All IdentityIQ versions prior to the following patch levels:
– 8.4p2 (IdentityIQ 8.4)
– 8.3p5 (IdentityIQ 8.3)
– 8.2p8 (IdentityIQ 8.2)
3. **Exploit Risks**: The vulnerability could lead to:
– Unauthorized access to sensitive data, including credentials and personal information.
– Risk of data compromise and file modification.
4. **Current Status**:
– No known active exploitation of the vulnerability has been reported.
– Users are urged to update their IdentityIQ instances promptly.
5. **Remediation**: SailPoint has issued electronic fixes for affected versions of IdentityIQ and plans future patches to include these fixes.
6. **Industry Advisory**: Following a similar warning in May by CISA and the FBI regarding path traversal bugs, there is an emphasis on adopting secure-by-design software development practices to mitigate such vulnerabilities.
7. **Action Items**: Users of SailPoint IdentityIQ should:
– Review their current version and patch level.
– Apply recommended updates and fixes immediately to ensure security.