CVE-2023-32217

EUVD-2023-36475
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.
Unsafe Reflection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
SailPointCNA
9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
sailpointidentityiq
8.0
sailpointidentityiq
8.0:patch1
sailpointidentityiq
8.0:patch2
sailpointidentityiq
8.0:patch3
sailpointidentityiq
8.0:patch4
sailpointidentityiq
8.1
sailpointidentityiq
8.1:patch1
sailpointidentityiq
8.1:patch2
sailpointidentityiq
8.1:patch3
sailpointidentityiq
8.1:patch4
sailpointidentityiq
8.1:patch5
sailpointidentityiq
8.2
sailpointidentityiq
8.2:patch1
sailpointidentityiq
8.2:patch2
sailpointidentityiq
8.2:patch4
sailpointidentityiq
8.3
sailpointidentityiq
8.3:patch1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/