All the vulnerabilites related to SailPoint - IdentityIQ
cve-2024-2227
Vulnerability from cvelistv5
Published
2024-03-22 15:43
Modified
2024-08-01 19:03
Severity ?
EPSS score ?
Summary
IdentityIQ JavaServer Faces File Path Traversal Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SailPoint | IdentityIQ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identityiq",
"vendor": "sailpoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-30T04:00:58.434391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T18:45:07.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jose Domingo Carillo Lencina, 0xd0m7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"value": "This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:43:12.869Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ JavaServer Faces File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2227",
"datePublished": "2024-03-22T15:43:12.869Z",
"dateReserved": "2024-03-06T17:01:38.789Z",
"dateUpdated": "2024-08-01T19:03:39.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-46835
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2025-03-27 18:26
Severity ?
EPSS score ?
Summary
SailPoint IdentityIQ JavaServer File Path Traversal Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SailPoint | IdentityIQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:39.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:26:50.539506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:26:57.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-02T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-file-traversal-vulnerability-cve-2022-46835/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SailPoint IdentityIQ JavaServer File Path Traversal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-46835",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-12-08T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:26:57.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32217
Vulnerability from cvelistv5
Published
2023-05-31 00:00
Modified
2025-01-10 15:40
Severity ?
EPSS score ?
Summary
SailPoint IdentityIQ Unsafe use of Reflection Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SailPoint | IdentityIQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T15:40:05.443644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T15:40:35.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p2",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.2p5",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Recurity Labs GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u0026nbsp;allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6\u00a0allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-138",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-138 Reflection Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-05T03:55:37.447Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Unsafe use of Reflection Vulnerability",
"x_generator": {
"engine": "SecretariatVulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2023-32217",
"datePublished": "2023-05-31T00:00:00",
"dateReserved": "2023-05-04T20:01:49.973Z",
"dateUpdated": "2025-01-10T15:40:35.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1714
Vulnerability from cvelistv5
Published
2024-02-21 16:57
Modified
2025-08-26 20:08
Severity ?
EPSS score ?
Summary
Access Request for Entitlement Values with Leading/Trailing Whitespace
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SailPoint | IdentityIQ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T19:02:28.625676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:08:09.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"value": "An issue exists in all supported versions of IdentityIQ Lifecycle Manager that can result if an entitlement with a value containing leading or trailing whitespace is requested by an authenticated user in an access request."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-17T18:37:39.187Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Access Request for Entitlement Values with Leading/Trailing Whitespace",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-1714",
"datePublished": "2024-02-21T16:57:19.298Z",
"dateReserved": "2024-02-21T16:52:41.030Z",
"dateUpdated": "2025-08-26T20:08:09.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2228
Vulnerability from cvelistv5
Published
2024-03-22 15:50
Modified
2024-08-01 19:03
Severity ?
EPSS score ?
Summary
IdentityIQ Authorization of QuickLink Target Identities Vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SailPoint | IdentityIQ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:33:57.066222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:16.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThan": "8.1p7",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.2p7",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.3p4",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.4p1",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-03-21T15:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"value": "This vulnerability allows an authenticated user to perform a Lifecycle Manager flow or other QuickLink for a target user outside of the defined QuickLink Population."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:50:09.729Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IdentityIQ Authorization of QuickLink Target Identities Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2024-2228",
"datePublished": "2024-03-22T15:50:09.729Z",
"dateReserved": "2024-03-06T17:01:59.959Z",
"dateUpdated": "2024-08-01T19:03:39.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-45435
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2025-03-27 18:28
Severity ?
EPSS score ?
Summary
SailPoint IdentityIQ Access Control Bypass
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| SailPoint | IdentityIQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:57.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:28:31.181114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:28:39.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IdentityIQ",
"vendor": "SailPoint",
"versions": [
{
"lessThanOrEqual": "8.3p1",
"status": "affected",
"version": "8.3",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.2p4",
"status": "affected",
"version": "8.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.1p6",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.0p5",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Elisia Chessel,Klarna AB"
}
],
"descriptions": [
{
"lang": "en",
"value": "IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability or any custom capability that contains the SetIdentityForwarding right to modify the work item forwarding configuration for identities other than the ones that should be allowed by Lifecycle Manager Quicklink Population configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-31T00:00:00.000Z",
"orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"shortName": "SailPoint"
},
"references": [
{
"url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-identity-forwarding-vulnerability-cve-2022-45435/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SailPoint IdentityIQ Access Control Bypass",
"workarounds": [
{
"lang": "en",
"value": "Remove the SetIdentityForwarding right from all IdentityIQ capabilities or unassign any capability containing the SetIdentityForwarding right from all identities. In this mitigated state, work item forwarding can still be configured by an identity by modifying user preferences."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
"assignerShortName": "SailPoint",
"cveId": "CVE-2022-45435",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2025-03-27T18:28:39.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}