CVE-2023-32217

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
Unsafe Reflection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
SailPointCNA
9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
sailpointidentityiq
8.0
sailpointidentityiq
8.0:patch1
sailpointidentityiq
8.0:patch2
sailpointidentityiq
8.0:patch3
sailpointidentityiq
8.0:patch4
sailpointidentityiq
8.1
sailpointidentityiq
8.1:patch1
sailpointidentityiq
8.1:patch2
sailpointidentityiq
8.1:patch3
sailpointidentityiq
8.1:patch4
sailpointidentityiq
8.1:patch5
sailpointidentityiq
8.2
sailpointidentityiq
8.2:patch1
sailpointidentityiq
8.2:patch2
sailpointidentityiq
8.2:patch4
sailpointidentityiq
8.3
sailpointidentityiq
8.3:patch1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/