CVE-2023-32217Unsafe Reflection in Identityiq

CWE-470Unsafe Reflection3 documents3 sources
Severity
8.8HIGHNVD
CNA9.0
EPSS
0.8%
top 25.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sailpoint Identityiq
Timeline
PublishedJun 5
Latest updateJul 6

Description

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5sailpoint/identityiq8.38.3p2+3
NVDsailpoint/identityiq4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-hq36-j573-g8vp: IdentityIQ 82023-07-06
CVEList
SailPoint IdentityIQ Unsafe use of Reflection Vulnerability2023-05-31
CVE-2023-32217 — Unsafe Reflection in Identityiq | cvebase