Search criteria
24 vulnerabilities found for identityiq by sailpoint
FKIE_CVE-2025-10280
Vulnerability from fkie_nvd - Published: 2025-11-03 17:15 - Updated: 2025-11-12 14:49
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | * | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.4 | |
| sailpoint | identityiq | 8.4 | |
| sailpoint | identityiq | 8.4 | |
| sailpoint | identityiq | 8.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7992F80-093D-4277-9AA8-5438ABFBF83B",
"versionEndExcluding": "8.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch2:*:*:*:*:*:*",
"matchCriteriaId": "1A2FD228-E6DB-49E3-BE3E-1BF9B0434FC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch4:*:*:*:*:*:*",
"matchCriteriaId": "0652D99D-DC1E-4E22-8E7D-AE080494C50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch5:*:*:*:*:*:*",
"matchCriteriaId": "D7964011-B0F1-4F07-8C14-6EEA0B421F80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:patch1:*:*:*:*:*:*",
"matchCriteriaId": "4ECFADA6-BB7B-4228-9434-B92B2FF21481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A39B1317-37C0-49DA-9207-7B7CBE6EC190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.5:-:*:*:*:*:*:*",
"matchCriteriaId": "01FF7480-9CBA-4283-994C-B2586C2F5F54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2025-10280",
"lastModified": "2025-11-12T14:49:56.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-03T17:15:32.527",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-10905
Vulnerability from fkie_nvd - Published: 2024-12-02 15:15 - Updated: 2025-11-12 15:49
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | * | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.4 | |
| sailpoint | identityiq | 8.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A31EEA4-6703-4B64-AAD4-A9FCA993C156",
"versionEndExcluding": "8.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch5:*:*:*:*:*:*",
"matchCriteriaId": "DBDD484D-BF0D-4246-9701-0BF3DD2194E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch7:*:*:*:*:*:*",
"matchCriteriaId": "6DC90C12-F7B6-4CF1-9B7D-A329E8BE79EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch2:*:*:*:*:*:*",
"matchCriteriaId": "1A2FD228-E6DB-49E3-BE3E-1BF9B0434FC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch4:*:*:*:*:*:*",
"matchCriteriaId": "0652D99D-DC1E-4E22-8E7D-AE080494C50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:patch1:*:*:*:*:*:*",
"matchCriteriaId": "4ECFADA6-BB7B-4228-9434-B92B2FF21481",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
},
{
"lang": "es",
"value": "IdentityIQ 8.4 y todos los niveles de parche 8.4 anteriores a 8.4p2, IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p5, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p8, y todas las versiones anteriores permiten el acceso HTTP a contenido est\u00e1tico en el directorio de la aplicaci\u00f3n IdentityIQ que debe estar protegido."
}
],
"id": "CVE-2024-10905",
"lastModified": "2025-11-12T15:49:07.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-02T15:15:10.240",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-66"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2227
Vulnerability from fkie_nvd - Published: 2024-03-22 16:15 - Updated: 2025-11-12 20:20
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@sailpoint.com | https://www.sailpoint.com/security-advisories/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sailpoint.com/security-advisories/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | * | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C76617A8-395F-4165-983E-9B9E77DFAA10",
"versionEndExcluding": "8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch5:*:*:*:*:*:*",
"matchCriteriaId": "DBDD484D-BF0D-4246-9701-0BF3DD2194E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch2:*:*:*:*:*:*",
"matchCriteriaId": "1A2FD228-E6DB-49E3-BE3E-1BF9B0434FC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
},
{
"lang": "es",
"value": "Esta vulnerabilidad permite el acceso a archivos arbitrarios en el sistema de archivos del servidor de aplicaciones debido a una vulnerabilidad de path traversal en JavaServer Faces (JSF) 2.2.20 documentada en CVE-2020-6950. La soluci\u00f3n para esta vulnerabilidad contenida en esta soluci\u00f3n de seguridad proporciona cambios adicionales a la soluci\u00f3n anunciada en mayo de 2021 rastreada por ETN IIQSAW-3585 y en enero de 2024 rastreada por IIQFW-336. Esta vulnerabilidad en IdentityIQ tiene asignada CVE-2024-2227."
}
],
"id": "CVE-2024-2227",
"lastModified": "2025-11-12T20:20:36.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-22T16:15:09.253",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2228
Vulnerability from fkie_nvd - Published: 2024-03-22 16:15 - Updated: 2025-11-12 20:19
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@sailpoint.com | https://www.sailpoint.com/security-advisories/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sailpoint.com/security-advisories/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | * | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C76617A8-395F-4165-983E-9B9E77DFAA10",
"versionEndExcluding": "8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch5:*:*:*:*:*:*",
"matchCriteriaId": "DBDD484D-BF0D-4246-9701-0BF3DD2194E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch2:*:*:*:*:*:*",
"matchCriteriaId": "1A2FD228-E6DB-49E3-BE3E-1BF9B0434FC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
},
{
"lang": "es",
"value": "Esta vulnerabilidad permite a un usuario autenticado realizar un flujo de Lifecycle Manager u otro QuickLink para un usuario de destino fuera de la poblaci\u00f3n de QuickLink definida."
}
],
"id": "CVE-2024-2228",
"lastModified": "2025-11-12T20:19:38.013",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-22T16:15:09.757",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-1714
Vulnerability from fkie_nvd - Published: 2024-02-21 17:15 - Updated: 2025-09-30 16:56
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L
Summary
An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
},
{
"lang": "es",
"value": "Existe un problema en todas las versiones compatibles de IdentityIQ Lifecycle Manager que puede surgir si un usuario autenticado solicita un derecho con un valor que contiene espacios en blanco al principio o al final en una solicitud de acceso."
}
],
"id": "CVE-2024-1714",
"lastModified": "2025-09-30T16:56:44.690",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.3,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.3,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-21T17:15:09.003",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-32217
Vulnerability from fkie_nvd - Published: 2023-06-05 04:15 - Updated: 2024-11-21 08:02
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "331C62A4-620B-483A-87A6-9AA51679AF92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch1:*:*:*:*:*:*",
"matchCriteriaId": "C84FC633-5B3C-4A40-A588-EF3AF509BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "6080940F-819D-468F-90B7-D1E135020777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "E018B45E-96CF-45C2-B405-3AFCC683BF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "CE18C753-3EE9-49C4-A99F-4429E0B20A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u00a0allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\n\n"
}
],
"id": "CVE-2023-32217",
"lastModified": "2024-11-21T08:02:55.330",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-05T04:15:10.927",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-45435
Vulnerability from fkie_nvd - Published: 2023-01-31 15:15 - Updated: 2024-11-21 07:29
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | * | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3470BC7-4C59-4887-85FA-62E4CFCE31D4",
"versionEndExcluding": "8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "331C62A4-620B-483A-87A6-9AA51679AF92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch1:*:*:*:*:*:*",
"matchCriteriaId": "C84FC633-5B3C-4A40-A588-EF3AF509BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "6080940F-819D-468F-90B7-D1E135020777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "E018B45E-96CF-45C2-B405-3AFCC683BF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "CE18C753-3EE9-49C4-A99F-4429E0B20A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F5641886-0FBB-472D-950A-70F94FB99087",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration."
},
{
"lang": "es",
"value": "IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p2, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p5, IdentityIQ 8.1 y todos los niveles de parche 8.1 anteriores a 8.1p7, IdentityIQ 8.0 y todos los niveles de parche 8.0 anteriores a 8.0p6, y todos Las versiones anteriores permiten a los usuarios autenticados a los que se les ha asignado la capacidad de Administrador de identidades o cualquier capacidad personalizada que contenga el derecho SetIdentityForwarding modificar la configuraci\u00f3n de reenv\u00edo de elementos de trabajo para identidades distintas a las que deber\u00edan permitirse mediante la configuraci\u00f3n de Poblaci\u00f3n de enlaces r\u00e1pidos de Lifecycle Manager."
}
],
"id": "CVE-2022-45435",
"lastModified": "2024-11-21T07:29:15.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-31T15:15:08.837",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-46835
Vulnerability from fkie_nvd - Published: 2023-01-31 15:15 - Updated: 2024-11-21 07:31
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "331C62A4-620B-483A-87A6-9AA51679AF92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch1:*:*:*:*:*:*",
"matchCriteriaId": "C84FC633-5B3C-4A40-A588-EF3AF509BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "6080940F-819D-468F-90B7-D1E135020777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "E018B45E-96CF-45C2-B405-3AFCC683BF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "CE18C753-3EE9-49C4-A99F-4429E0B20A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F5641886-0FBB-472D-950A-70F94FB99087",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950."
},
{
"lang": "es",
"value": "IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p2, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p5, IdentityIQ 8.1 y todos los niveles de parche 8.1 anteriores a 8.1p7, IdentityIQ 8.0 y todos los niveles de parche 8.0 anteriores a 8.0p6 permiten el acceso a archivos arbitrarios en el sistema de archivos del servidor de aplicaciones debido a una vulnerabilidad de path traversal en JavaServer Faces (JSF) 2.2.20 documentada en CVE-2020-6950."
}
],
"id": "CVE-2022-46835",
"lastModified": "2024-11-21T07:31:08.867",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-31T15:15:08.997",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-10280 (GCVE-0-2025-10280)
Vulnerability from cvelistv5 – Published: 2025-11-03 16:35 – Updated: 2025-11-06 20:45
VLAI?
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5
(semver)
Affected: 8.4 , < 8.4p4 (semver) Affected: 8.3 , ≤ 8.3p5 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T04:55:16.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-03T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS). \u003c/p\u003e"
}
],
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:45:31.741Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Content Type Cross-Site Scripting Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2025-10280",
"datePublished": "2025-11-03T16:35:56.241Z",
"dateReserved": "2025-09-11T16:02:56.954Z",
"dateUpdated": "2025-11-06T20:45:31.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10905 (GCVE-0-2024-10905)
Vulnerability from cvelistv5 – Published: 2024-12-02 14:49 – Updated: 2025-01-06 17:42
VLAI?
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
Severity ?
10 (Critical)
CWE
- CWE-66 - Improper Handling of File Names that Identify Virtual Resources
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T04:55:24.996838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:42:22.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-66",
"description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:57:12.682Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
}
],
"value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-10905",
"datePublished": "2024-12-02T14:49:51.199Z",
"dateReserved": "2024-11-05T20:21:47.258Z",
"dateUpdated": "2025-01-06T17:42:22.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2228 (GCVE-0-2024-2228)
Vulnerability from cvelistv5 – Published: 2024-03-22 15:50 – Updated: 2024-08-01 19:03
VLAI?
Summary
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.
Severity ?
7.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.1 , < 8.1p7
(semver)
Affected: 8.2 , < 8.2p7 (semver) Affected: 8.3 , < 8.3p4 (semver) Affected: 8.4 , < 8.4p1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:33:57.066222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:16.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-03-21T15:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:50:09.729Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Authorization of QuickLink Target Identities Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2228",
"datePublished": "2024-03-22T15:50:09.729Z",
"dateReserved": "2024-03-06T17:01:59.959Z",
"dateUpdated": "2024-08-01T19:03:39.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2227 (GCVE-0-2024-2227)
Vulnerability from cvelistv5 – Published: 2024-03-22 15:43 – Updated: 2024-08-01 19:03
VLAI?
Summary
This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.
Severity ?
10 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.1 , < 8.1p7
(semver)
Affected: 8.2 , < 8.2p7 (semver) Affected: 8.3 , < 8.3p4 (semver) Affected: 8.4 , < 8.4p1 (semver) |
Credits
Jose Domingo Carillo Lencina, 0xd0m7
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-30T04:00:58.434391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:45:07.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jose Domingo Carillo Lencina, 0xd0m7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:43:12.869Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ JavaServer Faces File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2227",
"datePublished": "2024-03-22T15:43:12.869Z",
"dateReserved": "2024-03-06T17:01:38.789Z",
"dateUpdated": "2024-08-01T19:03:39.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1714 (GCVE-0-2024-1714)
Vulnerability from cvelistv5 – Published: 2024-02-21 16:57 – Updated: 2025-08-26 20:08
VLAI?
Summary
An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.2 , < 8.2p7
(semver)
Affected: 8.3 , < 8.3p4 (semver) Affected: 8.4 , < 8.4p1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T19:02:28.625676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:08:09.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-17T18:37:39.187Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Access Request for Entitlement Values with Leading/Trailing Whitespace",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-1714",
"datePublished": "2024-02-21T16:57:19.298Z",
"dateReserved": "2024-02-21T16:52:41.030Z",
"dateUpdated": "2025-08-26T20:08:09.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32217 (GCVE-0-2023-32217)
Vulnerability from cvelistv5 – Published: 2023-05-31 00:00 – Updated: 2025-01-10 15:40
VLAI?
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
Severity ?
9 (Critical)
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.3 , ≤ 8.3p2
(semver)
Affected: 8.2 , ≤ 8.2p5 (semver) Affected: 8.1 , ≤ 8.1p6 (semver) Affected: 8.0 , ≤ 8.0p5 (semver) |
Credits
Recurity Labs GmbH
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T15:40:05.443644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T15:40:35.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p2",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.2p5",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Recurity Labs GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u0026nbsp;allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u00a0allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-138",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-138 Reflection Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-05T03:55:37.447Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Unsafe use of Reflection Vulnerability",
"x_generator": {
"engine": "SecretariatVulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2023-32217",
"datePublished": "2023-05-31T00:00:00",
"dateReserved": "2023-05-04T20:01:49.973Z",
"dateUpdated": "2025-01-10T15:40:35.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46835 (GCVE-0-2022-46835)
Vulnerability from cvelistv5 – Published: 2023-01-31 00:00 – Updated: 2025-03-27 18:26
VLAI?
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.3 , ≤ 8.3p1
(custom)
Affected: 8.2 , ≤ 8.2p4 (custom) Affected: 8.1 , ≤ 8.1p6 (custom) Affected: 8.0 , ≤ 8.0p5 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:26:50.539506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:26:57.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SailPoint IdentityIQ JavaServer File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-46835",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-12-08T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:26:57.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45435 (GCVE-0-2022-45435)
Vulnerability from cvelistv5 – Published: 2023-01-31 00:00 – Updated: 2025-03-27 18:28
VLAI?
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration.
Severity ?
6.8 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.3 , ≤ 8.3p1
(custom)
Affected: 8.2 , ≤ 8.2p4 (custom) Affected: 8.1 , ≤ 8.1p6 (custom) Affected: 8.0 , ≤ 8.0p5 (custom) |
Credits
Elisia Chessel,Klarna AB
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:57.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:28:31.181114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:28:39.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Elisia Chessel,Klarna AB"
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-31T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Access Control Bypass",
"workarounds": [
{
"lang": "en",
"value": "Remove the SetIdentityForwarding right from all IdentityIQ capabilities or unassign any capability containing the SetIdentityForwarding right from all identities. In this mitigated state, work item forwarding can still be configured by an identity by modifying user preferences."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-45435",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:28:39.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10280 (GCVE-0-2025-10280)
Vulnerability from nvd – Published: 2025-11-03 16:35 – Updated: 2025-11-06 20:45
VLAI?
Summary
IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.5
(semver)
Affected: 8.4 , < 8.4p4 (semver) Affected: 8.3 , ≤ 8.3p5 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T04:55:16.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4p4",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-03T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS). \u003c/p\u003e"
}
],
"value": "IdentityIQ\n8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and\nall 8.3 patch levels including 8.3p5, and all prior versions allows some\nIdentityIQ web services that provide non-HTML content to be accessed via a URL\npath that will set the Content-Type to HTML allowing a requesting browser to\ninterpret content not properly escaped to prevent Cross-Site Scripting (XSS)."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:45:31.741Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect Content Type Cross-Site Scripting Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2025-10280",
"datePublished": "2025-11-03T16:35:56.241Z",
"dateReserved": "2025-09-11T16:02:56.954Z",
"dateUpdated": "2025-11-06T20:45:31.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-10905 (GCVE-0-2024-10905)
Vulnerability from nvd – Published: 2024-12-02 14:49 – Updated: 2025-01-06 17:42
VLAI?
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
Severity ?
10 (Critical)
CWE
- CWE-66 - Improper Handling of File Names that Identify Virtual Resources
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint Technologies | IdentityIQ |
Affected:
8.2 , < 8.2p8
(semver)
Affected: 8.3 , < 8.3p5 (semver) Affected: 8.4 , < 8.4p2 (semver) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T04:55:24.996838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:42:22.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "IdentityIQ",
"vendor": "SailPoint Technologies",
"versions": [
{
"lessThan": "8.2p8",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p5",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p2",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-66",
"description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:57:12.682Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
}
],
"value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-10905",
"datePublished": "2024-12-02T14:49:51.199Z",
"dateReserved": "2024-11-05T20:21:47.258Z",
"dateUpdated": "2025-01-06T17:42:22.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2228 (GCVE-0-2024-2228)
Vulnerability from nvd – Published: 2024-03-22 15:50 – Updated: 2024-08-01 19:03
VLAI?
Summary
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.
Severity ?
7.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.1 , < 8.1p7
(semver)
Affected: 8.2 , < 8.2p7 (semver) Affected: 8.3 , < 8.3p4 (semver) Affected: 8.4 , < 8.4p1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:33:57.066222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:16.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-03-21T15:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:50:09.729Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Authorization of QuickLink Target Identities Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2228",
"datePublished": "2024-03-22T15:50:09.729Z",
"dateReserved": "2024-03-06T17:01:59.959Z",
"dateUpdated": "2024-08-01T19:03:39.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2227 (GCVE-0-2024-2227)
Vulnerability from nvd – Published: 2024-03-22 15:43 – Updated: 2024-08-01 19:03
VLAI?
Summary
This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.
Severity ?
10 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.1 , < 8.1p7
(semver)
Affected: 8.2 , < 8.2p7 (semver) Affected: 8.3 , < 8.3p4 (semver) Affected: 8.4 , < 8.4p1 (semver) |
Credits
Jose Domingo Carillo Lencina, 0xd0m7
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-30T04:00:58.434391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:45:07.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jose Domingo Carillo Lencina, 0xd0m7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:43:12.869Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ JavaServer Faces File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2227",
"datePublished": "2024-03-22T15:43:12.869Z",
"dateReserved": "2024-03-06T17:01:38.789Z",
"dateUpdated": "2024-08-01T19:03:39.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1714 (GCVE-0-2024-1714)
Vulnerability from nvd – Published: 2024-02-21 16:57 – Updated: 2025-08-26 20:08
VLAI?
Summary
An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.2 , < 8.2p7
(semver)
Affected: 8.3 , < 8.3p4 (semver) Affected: 8.4 , < 8.4p1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T19:02:28.625676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:08:09.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-17T18:37:39.187Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Access Request for Entitlement Values with Leading/Trailing Whitespace",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-1714",
"datePublished": "2024-02-21T16:57:19.298Z",
"dateReserved": "2024-02-21T16:52:41.030Z",
"dateUpdated": "2025-08-26T20:08:09.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32217 (GCVE-0-2023-32217)
Vulnerability from nvd – Published: 2023-05-31 00:00 – Updated: 2025-01-10 15:40
VLAI?
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
Severity ?
9 (Critical)
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.3 , ≤ 8.3p2
(semver)
Affected: 8.2 , ≤ 8.2p5 (semver) Affected: 8.1 , ≤ 8.1p6 (semver) Affected: 8.0 , ≤ 8.0p5 (semver) |
Credits
Recurity Labs GmbH
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T15:40:05.443644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T15:40:35.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p2",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.2p5",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Recurity Labs GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u0026nbsp;allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u00a0allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-138",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-138 Reflection Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-05T03:55:37.447Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Unsafe use of Reflection Vulnerability",
"x_generator": {
"engine": "SecretariatVulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2023-32217",
"datePublished": "2023-05-31T00:00:00",
"dateReserved": "2023-05-04T20:01:49.973Z",
"dateUpdated": "2025-01-10T15:40:35.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46835 (GCVE-0-2022-46835)
Vulnerability from nvd – Published: 2023-01-31 00:00 – Updated: 2025-03-27 18:26
VLAI?
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.3 , ≤ 8.3p1
(custom)
Affected: 8.2 , ≤ 8.2p4 (custom) Affected: 8.1 , ≤ 8.1p6 (custom) Affected: 8.0 , ≤ 8.0p5 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:26:50.539506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:26:57.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SailPoint IdentityIQ JavaServer File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-46835",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-12-08T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:26:57.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45435 (GCVE-0-2022-45435)
Vulnerability from nvd – Published: 2023-01-31 00:00 – Updated: 2025-03-27 18:28
VLAI?
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration.
Severity ?
6.8 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Affected:
8.3 , ≤ 8.3p1
(custom)
Affected: 8.2 , ≤ 8.2p4 (custom) Affected: 8.1 , ≤ 8.1p6 (custom) Affected: 8.0 , ≤ 8.0p5 (custom) |
Credits
Elisia Chessel,Klarna AB
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:57.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:28:31.181114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:28:39.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Elisia Chessel,Klarna AB"
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-31T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Access Control Bypass",
"workarounds": [
{
"lang": "en",
"value": "Remove the SetIdentityForwarding right from all IdentityIQ capabilities or unassign any capability containing the SetIdentityForwarding right from all identities. In this mitigated state, work item forwarding can still be configured by an identity by modifying user preferences."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-45435",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:28:39.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}