Improper Handling of File Names that Identify Virtual Resources

CVE-2024-10905

High

10/10

Summary

IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-66 - Improper Handling of File Names that Identify Virtual Resources

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

References

Advisory Timeline

Published Dec 02, 2024

Improper Handling of File Names that Identify Virtual Resources

CVE-2024-10905

Summary

CWE-66 - Improper Handling of File Names that Identify Virtual Resources

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS