Unrestricted Access to Target User Data via Lifecycle Manager Flow
CVE-2024-2228

7.1HIGH

Key Information:

Vendor: Sailpoint
Status: Identityiq
Vendor: CVE Published:; 22 March 2024

What is CVE-2024-2228?

An authentication vulnerability exists in SailPoint Lifecycle Manager that enables an authenticated user to conduct Lifecycle Manager operations or utilize a QuickLink for a designated target user, bypassing the established restrictions of the QuickLink Population. This oversight can potentially allow for unauthorized actions, threatening the integrity of user data and access management systems.

Affected Version(s)

IdentityIQ 8.1 < 8.1p7

IdentityIQ 8.2 < 8.2p7

IdentityIQ 8.3 < 8.3p4

References

https://www.sailpoint.com/security-advisories/

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 22, 2024
Vulnerability Reserved
Mar 6, 2024

Sailpoint

What is CVE-2024-2228?

Affected Version(s)

References

CVSS V3.1

Timeline