{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10905", "assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "state": "PUBLISHED", "assignerShortName": "SailPoint", "dateReserved": "2024-11-05T20:21:47.258Z", "datePublished": "2024-12-02T14:49:51.199Z", "dateUpdated": "2024-12-06T17:57:12.682Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "IdentityIQ", "vendor": "SailPoint Technologies", "versions": [{"lessThan": "8.2p8", "status": "affected", "version": "8.2", "versionType": "semver"}, {"lessThan": "8.3p5", "status": "affected", "version": "8.3", "versionType": "semver"}, {"lessThan": "8.4p2", "status": "affected", "version": "8.4", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions&nbsp;<span style=\"background-color: var(--wht);\">allow HTTP/HTTPS access to&nbsp;</span><span style=\"background-color: var(--wht);\">static content in the IdentityIQ application directory that should be protected.</span><span style=\"background-color: var(--wht);\"><br></span>\n\n\n<br>"}], "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-66", "description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "shortName": "SailPoint", "dateUpdated": "2024-12-06T17:57:12.682Z"}, "references": [{"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\">https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...</a>"}], "value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"}], "source": {"discovery": "UNKNOWN"}, "title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "sailpoint", "product": "identityiq", "cpes": ["cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.2", "status": "affected", "lessThan": "8.2p8", "versionType": "semver"}, {"version": "8.3", "status": "affected", "lessThan": "8.3p5", "versionType": "semver"}, {"version": "8.4", "status": "affected", "lessThan": "8.4p2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-10905"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T04:55:23.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10905", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-02T15:23:24.339429Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*"], "vendor": "sailpoint", "product": "identityiq", "versions": [{"status": "affected", "version": "8.2", "lessThan": "8.2p8", "versionType": "semver"}, {"status": "affected", "version": "8.3", "lessThan": "8.3p5", "versionType": "semver"}, {"status": "affected", "version": "8.4", "lessThan": "8.4p2", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-02T15:26:13.287Z"}}], "cna": {"title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SailPoint Technologies", "product": "IdentityIQ", "versions": [{"status": "affected", "version": "8.2", "lessThan": "8.2p8", "versionType": "semver"}, {"status": "affected", "version": "8.3", "lessThan": "8.3p5", "versionType": "semver"}, {"status": "affected", "version": "8.4", "lessThan": "8.4p2", "versionType": "semver"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409", "supportingMedia": [{"type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\">https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...</a>", "base64": false}]}], "references": [{"url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected.", "supportingMedia": [{"type": "text/html", "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions&nbsp;<span style=\"background-color: var(--wht);\">allow HTTP/HTTPS access to&nbsp;</span><span style=\"background-color: var(--wht);\">static content in the IdentityIQ application directory that should be protected.</span><span style=\"background-color: var(--wht);\"><br></span>\n\n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-66", "description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources"}]}], "providerMetadata": {"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "shortName": "SailPoint", "dateUpdated": "2024-12-06T17:57:12.682Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10905", "state": "PUBLISHED", "dateUpdated": "2024-12-06T17:57:12.682Z", "dateReserved": "2024-11-05T20:21:47.258Z", "assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719", "datePublished": "2024-12-02T14:49:51.199Z", "assignerShortName": "SailPoint"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."}, {"lang": "es", "value": "IdentityIQ 8.4 y todos los niveles de parche 8.4 anteriores a 8.4p2, IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p5, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p8, y todas las versiones anteriores permiten el acceso HTTP a contenido est\u00e1tico en el directorio de la aplicaci\u00f3n IdentityIQ que debe estar protegido."}], "id": "CVE-2024-10905", "lastModified": "2024-12-06T18:15:22.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-12-02T15:15:10.240", "references": [{"source": "[email protected]", "url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-66"}], "source": "[email protected]", "type": "Secondary"}]}

{}