Perfect 10 directory traversal vuln hits SailPoint's IAM solution

Updated It's time to rev up those patch engines after SailPoint disclosed a perfect 10/10 severity vulnerability in its identity and access management (IAM) platform IdentityIQ.

The bug is not attached to a security advisory at the time of writing, but the vulnerability was reported on Monday to the National Vulnerability Database (NVD), which then assigned it the CVE-2024-10905 identifier.

Given the NVD rarely publishes a full analysis of vulnerabilities, and without an accompanying advisory to consult, the details of the flaw are few and far between.

However, we know the weakness enumeration is CWE-66. Otherwise known as a directory traversal flaw, these are the types of decades-old, easy-to-exploit bugs that the US's Cybersecurity and Infrastructure Security Agency (CISA) urged vendors to squash earlier this year.

In fact, security organization MITRE was calling them "unforgivable" much earlier, per a 2007 paper [PDF].

Directory traversals, sometimes referred to as path traversals, can be exploited when a piece of software fails to sanitize user input, allowing that user to access file directories they don't ordinarily have the necessary permissions to view.

This then leads to the disclosure of sensitive information and potentially the wider compromise of systems.

Such bugs have previously been described as "embarrassingly easy to exploit."

CISA said: "Directory traversal exploits succeed because technology manufacturers fail to treat user-supplied content as potentially malicious, hence failing to adequately protect their customers."

The agency's alert was one of many published earlier this year designed to support its campaign to drive the adoption of secure-by-design principles in software development. The idea is that if the most basic security issues are sorted out by vendors, the number of attacks that disrupt critical services will plummet.

• Zabbix urges upgrades after critical SQL injection bug disclosure
• QNAP and Veritas dump 30-plus vulns over the weekend
• Palo Alto Networks tackles firewall-busting zero-days with critical patches
• Fortinet patches VPN app flaw that could give rogue users, malware a privilege boost

Per the NVD's limited breakdown, the following SailPoint IdentityIQ versions are vulnerable:

• 8.4.x

• 8.3.x

• 8.2.x

• All versions prior to these

Customers are advised to upgrade to versions 8.4p2, 8.3p5, and 8.2p8 respectively to patch the vulnerability.

Speaking of customers, SailPoint has some heavy hitters on its books. While the Thoma Bravo-owned biz doesn't disclose the exact number of customers under its wing, major organizations listed on its case studies page as using IdentityIQ include BNP Paribas, Toyota Europe, Philips, The Home Depot, General Motors, and an unnamed central bank of a European country dubbed a "major global economy."

The Register asked SailPoint why no security advisory was released and whether it's aware of any successful exploit attempts, but it did not immediately respond. ®

Updated to add at 1207 UTC, December 5

Rex Booth, CISO at SailPoint, shared the following statement with The Register: