CVE-2024-2227 — Path Traversal in Identityiq

CWE-22 — Path Traversal5 documents5 sources

Severity

7.5HIGHNVD

CNA6.5

EPSS

0.6%

top 30.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sailpoint Identityiq

Timeline

PublishedMar 22

Latest updateMay 17

Description

This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (JSF) 2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability contained in this security fix provides additional changes to the remediation announced in May 2021 tracked by ETN IIQSAW-3585 and January 2024 tracked by IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sailpoint/identityiq8.1 — 8.1p7+3

▶NVDsailpoint/identityiq< 8.1+4

🔴Vulnerability Details

GHSA

GHSA-84w8-jv98-6r25: This vulnerability allows access to arbitrary files in the application server file system due to a path traversal vulnerability in JavaServer Faces (J↗2024-03-22

▶

CVEList

IdentityIQ JavaServer Faces File Path Traversal Vulnerability↗2024-03-22

▶

📋Vendor Advisories

Red Hat

kernel: ALSA: usb-audio: Stop parsing channels bits when all channels are found.↗2024-05-17

▶

💬Community

Bugzilla

CVE-2024-27436 kernel: ALSA: usb-audio: Stop parsing channels bits when all channels are found.↗2024-05-17

▶