Common Weakness Enumeration

CWE-66

Allowed

Improper Handling of File Names that Identify Virtual Resources

Abstraction: Base · Status: Draft

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

2 vulnerabilities reference this CWE, most recent first.

CVE-2024-10905 (GCVE-0-2024-10905)

Vulnerability from cvelistv5 – Published: 2024-12-02 14:49 – Updated: 2025-01-06 17:42
VLAI
Title
IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability
Summary
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-66 - Improper Handling of File Names that Identify Virtual Resources
Assigner
Impacted products
Vendor Product Version
SailPoint Technologies IdentityIQ Affected: 8.2 , < 8.2p8 (semver)
Affected: 8.3 , < 8.3p5 (semver)
Affected: 8.4 , < 8.4p2 (semver)
Create a notification for this product.
sailpoint identityiq Affected: 8.2 , < 8.2p8 (semver)
Affected: 8.3 , < 8.3p5 (semver)
Affected: 8.4 , < 8.4p2 (semver)
    cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sailpoint:identityiq:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "identityiq",
            "vendor": "sailpoint",
            "versions": [
              {
                "lessThan": "8.2p8",
                "status": "affected",
                "version": "8.2",
                "versionType": "semver"
              },
              {
                "lessThan": "8.3p5",
                "status": "affected",
                "version": "8.3",
                "versionType": "semver"
              },
              {
                "lessThan": "8.4p2",
                "status": "affected",
                "version": "8.4",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-03T04:55:24.996838Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-06T17:42:22.215Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "IdentityIQ",
          "vendor": "SailPoint Technologies",
          "versions": [
            {
              "lessThan": "8.2p8",
              "status": "affected",
              "version": "8.2",
              "versionType": "semver"
            },
            {
              "lessThan": "8.3p5",
              "status": "affected",
              "version": "8.3",
              "versionType": "semver"
            },
            {
              "lessThan": "8.4p2",
              "status": "affected",
              "version": "8.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eallow HTTP/HTTPS access to\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003estatic content in the IdentityIQ application directory that should be protected.\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cbr\u003e\u003c/span\u003e\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allow HTTP/HTTPS access to\u00a0static content in the IdentityIQ application directory that should be protected."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-66",
              "description": "CWE-66: Improper Handling of File Names that Identify Virtual Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-06T17:57:12.682Z",
        "orgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
        "shortName": "SailPoint"
      },
      "references": [
        {
          "url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409\"\u003ehttps://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/...\u003c/a\u003e"
            }
          ],
          "value": "https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/... https://community.sailpoint.com/t5/IdentityIQ-Blog/IdentityIQ-Improper-Access-Control-Vulnerability/ba-p/261409"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IdentityIQ Improper Access Control VulnerabilityIdentityIQ Improper Access Control Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2cfc7547-56a0-4049-8b52-c3078e8a8719",
    "assignerShortName": "SailPoint",
    "cveId": "CVE-2024-10905",
    "datePublished": "2024-12-02T14:49:51.199Z",
    "dateReserved": "2024-11-05T20:21:47.258Z",
    "dateUpdated": "2025-01-06T17:42:22.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-9JCJ-C3PX-4JC5

Vulnerability from github – Published: 2024-12-02 15:31 – Updated: 2025-11-12 18:31
VLAI
Details

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allows HTTP access to static content in the IdentityIQ application directory that should be protected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-66"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-02T15:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions\u00a0allows HTTP access to\u00a0static content in the IdentityIQ application directory that should be protected.",
  "id": "GHSA-9jcj-c3px-4jc5",
  "modified": "2025-11-12T18:31:02Z",
  "published": "2024-12-02T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10905"
    },
    {
      "type": "WEB",
      "url": "https://www.sailpoint.com/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.