Vulnerabilites related to SailPoint - IdentityIQ
CVE-2022-45435 (GCVE-0-2022-45435)
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2025-03-27 18:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.3 < Version: 8.2 < Version: 8.1 < Version: 8.0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:57.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:28:31.181114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:28:39.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Elisia Chessel,Klarna AB"
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-31T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Access Control Bypass",
"workarounds": [
{
"lang": "en",
"value": "Remove the SetIdentityForwarding right from all IdentityIQ capabilities or unassign any capability containing the SetIdentityForwarding right from all identities. In this mitigated state, work item forwarding can still be configured by an identity by modifying user preferences."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-45435",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:28:39.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2228 (GCVE-0-2024-2228)
Vulnerability from cvelistv5
Published
2024-03-22 15:50
Modified
2024-08-01 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.1 ≤ Version: 8.2 ≤ Version: 8.3 ≤ Version: 8.4 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:33:57.066222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:16.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-03-21T15:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:50:09.729Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Authorization of QuickLink Target Identities Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2228",
"datePublished": "2024-03-22T15:50:09.729Z",
"dateReserved": "2024-03-06T17:01:59.959Z",
"dateUpdated": "2024-08-01T19:03:39.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2227 (GCVE-0-2024-2227)
Vulnerability from cvelistv5
Published
2024-03-22 15:43
Modified
2024-08-01 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.1 ≤ Version: 8.2 ≤ Version: 8.3 ≤ Version: 8.4 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-30T04:00:58.434391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:45:07.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jose Domingo Carillo Lencina, 0xd0m7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:43:12.869Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ JavaServer Faces File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2227",
"datePublished": "2024-03-22T15:43:12.869Z",
"dateReserved": "2024-03-06T17:01:38.789Z",
"dateUpdated": "2024-08-01T19:03:39.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1714 (GCVE-0-2024-1714)
Vulnerability from cvelistv5
Published
2024-02-21 16:57
Modified
2024-12-18 17:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.2 ≤ Version: 8.3 ≤ Version: 8.4 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T19:02:28.625676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T17:52:59.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-17T18:37:39.187Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Access Request for Entitlement Values with Leading/Trailing Whitespace",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-1714",
"datePublished": "2024-02-21T16:57:19.298Z",
"dateReserved": "2024-02-21T16:52:41.030Z",
"dateUpdated": "2024-12-18T17:52:59.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46835 (GCVE-0-2022-46835)
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2025-03-27 18:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.3 < Version: 8.2 < Version: 8.1 < Version: 8.0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:26:50.539506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:26:57.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SailPoint IdentityIQ JavaServer File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-46835",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-12-08T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:26:57.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32217 (GCVE-0-2023-32217)
Vulnerability from cvelistv5
Published
2023-05-31 00:00
Modified
2025-01-10 15:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SailPoint | IdentityIQ |
Version: 8.3 ≤ 8.3p2 Version: 8.2 ≤ 8.2p5 Version: 8.1 ≤ 8.1p6 Version: 8.0 ≤ 8.0p5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T15:40:05.443644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T15:40:35.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p2",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.2p5",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Recurity Labs GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u0026nbsp;allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u00a0allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-138",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-138 Reflection Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-05T03:55:37.447Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Unsafe use of Reflection Vulnerability",
"x_generator": {
"engine": "SecretariatVulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2023-32217",
"datePublished": "2023-05-31T00:00:00",
"dateReserved": "2023-05-04T20:01:49.973Z",
"dateUpdated": "2025-01-10T15:40:35.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-02-21 17:15
Modified
2025-05-06 17:45
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L
Summary
An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4BC4F08D-A3FB-41F6-8EFD-6F34FBC0F75F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
},
{
"lang": "es",
"value": "Existe un problema en todas las versiones compatibles de IdentityIQ Lifecycle Manager que puede surgir si un usuario autenticado solicita un derecho con un valor que contiene espacios en blanco al principio o al final en una solicitud de acceso."
}
],
"id": "CVE-2024-1714",
"lastModified": "2025-05-06T17:45:38.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.3,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.3,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-21T17:15:09.003",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1284"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-05 04:15
Modified
2024-11-21 08:02
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "331C62A4-620B-483A-87A6-9AA51679AF92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch1:*:*:*:*:*:*",
"matchCriteriaId": "C84FC633-5B3C-4A40-A588-EF3AF509BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "6080940F-819D-468F-90B7-D1E135020777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "E018B45E-96CF-45C2-B405-3AFCC683BF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "CE18C753-3EE9-49C4-A99F-4429E0B20A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u00a0allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\n\n"
}
],
"id": "CVE-2023-32217",
"lastModified": "2024-11-21T08:02:55.330",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-05T04:15:10.927",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-31 15:15
Modified
2024-11-21 07:29
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | * | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3470BC7-4C59-4887-85FA-62E4CFCE31D4",
"versionEndExcluding": "8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "331C62A4-620B-483A-87A6-9AA51679AF92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch1:*:*:*:*:*:*",
"matchCriteriaId": "C84FC633-5B3C-4A40-A588-EF3AF509BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "6080940F-819D-468F-90B7-D1E135020777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "E018B45E-96CF-45C2-B405-3AFCC683BF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "CE18C753-3EE9-49C4-A99F-4429E0B20A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F5641886-0FBB-472D-950A-70F94FB99087",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration."
},
{
"lang": "es",
"value": "IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p2, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p5, IdentityIQ 8.1 y todos los niveles de parche 8.1 anteriores a 8.1p7, IdentityIQ 8.0 y todos los niveles de parche 8.0 anteriores a 8.0p6, y todos Las versiones anteriores permiten a los usuarios autenticados a los que se les ha asignado la capacidad de Administrador de identidades o cualquier capacidad personalizada que contenga el derecho SetIdentityForwarding modificar la configuraci\u00f3n de reenv\u00edo de elementos de trabajo para identidades distintas a las que deber\u00edan permitirse mediante la configuraci\u00f3n de Poblaci\u00f3n de enlaces r\u00e1pidos de Lifecycle Manager."
}
],
"id": "CVE-2022-45435",
"lastModified": "2024-11-21T07:29:15.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-31T15:15:08.837",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-31 15:15
Modified
2024-11-21 07:31
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.0 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.1 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.2 | |
| sailpoint | identityiq | 8.3 | |
| sailpoint | identityiq | 8.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:-:*:*:*:*:*:*",
"matchCriteriaId": "331C62A4-620B-483A-87A6-9AA51679AF92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch1:*:*:*:*:*:*",
"matchCriteriaId": "C84FC633-5B3C-4A40-A588-EF3AF509BBE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch2:*:*:*:*:*:*",
"matchCriteriaId": "6080940F-819D-468F-90B7-D1E135020777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch3:*:*:*:*:*:*",
"matchCriteriaId": "E018B45E-96CF-45C2-B405-3AFCC683BF9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch4:*:*:*:*:*:*",
"matchCriteriaId": "CE18C753-3EE9-49C4-A99F-4429E0B20A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.0:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F5641886-0FBB-472D-950A-70F94FB99087",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:-:*:*:*:*:*:*",
"matchCriteriaId": "00C8E5FB-5B6D-4C1B-AEFE-C884B28392D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "216615A8-0E21-4597-871C-AC121BF0E150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch2:*:*:*:*:*:*",
"matchCriteriaId": "35ECC22F-B2A2-4750-B995-2944F12C1BFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch3:*:*:*:*:*:*",
"matchCriteriaId": "9ECEF57B-DA34-402A-86F0-713A3683A172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch4:*:*:*:*:*:*",
"matchCriteriaId": "1815D4C7-50FC-45DA-8130-E9258CAFBD09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch5:*:*:*:*:*:*",
"matchCriteriaId": "F784765E-8B3C-4F96-B57A-E6E7AECE628C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.1:patch6:*:*:*:*:*:*",
"matchCriteriaId": "A7B4F481-4E74-4B56-9851-E1A665F5783D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:-:*:*:*:*:*:*",
"matchCriteriaId": "224129BF-667F-4F6A-8E9A-15390F6FA3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2A8C2668-C1F1-4A67-A2B3-99B5746C6A52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch2:*:*:*:*:*:*",
"matchCriteriaId": "A9D91EB5-EC8E-4200-9245-13E37312343D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.2:patch4:*:*:*:*:*:*",
"matchCriteriaId": "63352C53-ADD8-49CD-B9E6-648183BDED68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:-:*:*:*:*:*:*",
"matchCriteriaId": "1173CC53-CBE5-450C-96BF-8583D1B3D185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sailpoint:identityiq:8.3:patch1:*:*:*:*:*:*",
"matchCriteriaId": "2C0F5E55-5D33-425F-9DA7-49FE66CD84C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950."
},
{
"lang": "es",
"value": "IdentityIQ 8.3 y todos los niveles de parche 8.3 anteriores a 8.3p2, IdentityIQ 8.2 y todos los niveles de parche 8.2 anteriores a 8.2p5, IdentityIQ 8.1 y todos los niveles de parche 8.1 anteriores a 8.1p7, IdentityIQ 8.0 y todos los niveles de parche 8.0 anteriores a 8.0p6 permiten el acceso a archivos arbitrarios en el sistema de archivos del servidor de aplicaciones debido a una vulnerabilidad de path traversal en JavaServer Faces (JSF) 2.2.20 documentada en CVE-2020-6950."
}
],
"id": "CVE-2022-46835",
"lastModified": "2024-11-21T07:31:08.867",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-31T15:15:08.997",
"references": [
{
"source": "psirt@sailpoint.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"sourceIdentifier": "psirt@sailpoint.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "psirt@sailpoint.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}