CWE-66
AllowedImproper Handling of File Names that Identify Virtual Resources
Abstraction: Base · Status: Draft
The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
2 vulnerabilities reference this CWE, most recent first.
CVE-2024-10905 (GCVE-0-2024-10905)
Vulnerability from cvelistv5 – Published: 2024-12-02 14:49 – Updated: 2025-01-06 17:42- CWE-66 - Improper Handling of File Names that Identify Virtual Resources
| Vendor | Product | Version | |
|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) |
|
| sailpoint | identityiq |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T04:55:24.996838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:42:22.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-66",
"description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:57:12.682Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
}
],
"value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-10905",
"datePublished": "2024-12-02T14:49:51.199Z",
"dateReserved": "2024-11-05T20:21:47.258Z",
"dateUpdated": "2025-01-06T17:42:22.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-9JCJ-C3PX-4JC5
Vulnerability from github – Published: 2024-12-02 15:31 – Updated: 2025-11-12 18:31IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allows HTTP access to static content in the IdentityIQ application directory that should be protected.
{
"affected": [],
"aliases": [
"CVE-2024-10905"
],
"database_specific": {
"cwe_ids": [
"CWE-66"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-02T15:15:10Z",
"severity": "CRITICAL"
},
"details": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allows HTTP access to\u00a0static content in the IdentityIQ application directory that should be protected.",
"id": "GHSA-9jcj-c3px-4jc5",
"modified": "2025-11-12T18:31:02Z",
"published": "2024-12-02T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10905"
},
{
"type": "WEB",
"url": "https://www.sailpoint.com/security-advisories"
},
{
"type": "WEB",
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.