# Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

__Dec 04, 2024__Ravie LakshmananVulnerability / Software Security

[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZUQbV3oyMLzzdLR0HcTUx8P3q0Dh6JRcp4xDHe_DzVIcHS6BC3K3RgkpwsDCfbWxgTCHlrXn_SjvdakHXBB8jBTEpiaJb51GCGPkDI5I99AKORxOKenRNQlcFXdZQYWNmtW-jG5sbc6flL9NKP8H0q7X1cF-pRLG_Huucn09vdxQu90t_j3IahKzNzleN/s728-rw-e365/iam.png)

A critical security vulnerability has been disclosed in SailPoint's [IdentityIQ](https://www.sailpoint.com/products/identity-security-software/identity-iq) identity and access management (IAM) software that allows unauthorized access to content stored within the application directory.

The flaw, tracked as **CVE-2024-10905**, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions.

IdentityIQ "allows HTTP access to static content in the IdentityIQ application directory that should be protected," according to a [description](https://nvd.nist.gov/vuln/detail/CVE-2024-10905) of the flaw on NIST's National Vulnerability Database (NVD).

The vulnerability has been characterized as a case of improper handling of file names that identify virtual resources ([CWE-66](https://cwe.mitre.org/data/definitions/66.html)), which could be abused to read otherwise inaccessible files.

[](https://thehackernews.uk/gartner-endpoint-protection-d-v1)

There are currently no other details available about the flaw, nor has SailPoint released a security advisory. The exact list of versions impacted by CVE-2024-10905 is listed below -

*   8.4 and all 8.4 patch levels prior to 8.4p2
*   8.3 and all 8.3 patch levels prior to 8.3p5
*   8.2 and all 8.2 patch levels prior to 8.2p8, and
*   All prior versions

The Hacker News has reached out to SailPoint for comment prior to the publication of this story and will update the piece if we hear back from the company.

  

Found this article interesting? Follow us on [Twitter __](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.

SHARE [__](https://thehackernews.com/#link_share) [__](https://thehackernews.com/#link_share) [__](https://thehackernews.com/#link_share) __

[__Tweet](https://thehackernews.com/#link_share)

[__Share](https://thehackernews.com/#link_share)

[__Share](https://thehackernews.com/#link_share)

__Share

__ [__Share on Facebook](https://thehackernews.com/#link_share) [__Share on Twitter](https://thehackernews.com/#link_share) [__Share on Linkedin](https://thehackernews.com/#link_share) [__Share on Reddit](https://thehackernews.com/#link_share) [__Share on Hacker News](https://thehackernews.com/#link_share) [__Share on Email](https://thehackernews.com/#link_share) [__Share on WhatsApp](https://thehackernews.com/#link_share) [Share on Facebook Messenger](https://thehackernews.com/#link_share) [__Share on Telegram](https://thehackernews.com/#link_share)

SHARE __

[cybersecurity](https://thehackernews.com/search/label/cybersecurity)[IAM Software](https://thehackernews.com/search/label/IAM%20Software)[Identity Management](https://thehackernews.com/search/label/Identity%20Management)[IdentityIQ](https://thehackernews.com/search/label/IdentityIQ)[Risk management](https://thehackernews.com/search/label/Risk%20management)[SailPoint](https://thehackernews.com/search/label/SailPoint)[software security](https://thehackernews.com/search/label/software%20security)[Vulnerability](https://thehackernews.com/search/label/Vulnerability)
