Arbitrary File Access Vulnerability in JavaServer Faces (JSF) 2.2.20
CVE-2024-2227

10CRITICAL

Key Information:

Vendor: Sailpoint
Status: Identityiq
Vendor: CVE Published:; 22 March 2024

What is CVE-2024-2227?

A vulnerability exists in SailPoint's IdentityIQ application due to improper validation of user input, allowing attackers to exploit a path traversal weakness in the JavaServer Faces (JSF) framework, specifically version 2.2.20. This flaw may enable unauthorized access to files on the application server, posing significant security risks. Previous remediation efforts, including one noted in May 2021 and updates in January 2024, did not adequately address the underlying issue, necessitating further immediate actions to secure affected installations. Users of affected versions should prioritize applying the latest security patches to mitigate potential exploitation.

Affected Version(s)

IdentityIQ 8.1 < 8.1p7

IdentityIQ 8.2 < 8.2p7

IdentityIQ 8.3 < 8.3p4

References

https://www.sailpoint.com/security-advisories/

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 22, 2024
Vulnerability Reserved
Mar 6, 2024

Credit

Jose Domingo Carillo Lencina, 0xd0m7

Sailpoint

What is CVE-2024-2227?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit