CVE-2024-10905 Overview
CVE-2024-10905 is an improper access control vulnerability in SailPoint IdentityIQ, an enterprise identity governance platform. The flaw allows HTTP/HTTPS access to static content stored in the IdentityIQ application directory that should be protected from unauthenticated requests. Affected versions include IdentityIQ 8.4 prior to 8.4p2, 8.3 prior to 8.3p5, 8.2 prior to 8.2p8, and all earlier releases. The vulnerability is tracked under [CWE-66: Improper Handling of File Names that Identify Virtual Resources].
Critical Impact
Unauthenticated network attackers can retrieve protected static content from IdentityIQ deployments, exposing sensitive application data with no privileges or user interaction required.
Affected Products
- SailPoint IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2
- SailPoint IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5
- SailPoint IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, plus all prior versions
Discovery Timeline
- 2024-12-02 - CVE-2024-10905 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2024-10905
Vulnerability Analysis
The vulnerability resides in how the IdentityIQ web application exposes static resources within its application directory. Files intended to be protected by access control checks remain reachable through direct HTTP or HTTPS requests. An unauthenticated remote attacker can issue crafted requests to enumerate and download these resources over the network.
Because IdentityIQ functions as an identity governance and administration (IGA) platform, the static content within the application directory can include configuration metadata, internal templates, and resources tied to identity workflows. Unauthorized retrieval undermines the confidentiality, integrity, and availability guarantees of the deployment.
Root Cause
The root cause is improper handling of file name references identifying virtual resources [CWE-66]. The web tier fails to enforce authentication and authorization on a subset of paths under the application directory. Resources that should be filtered by servlet mappings or access control rules are instead served as plain static content.
Attack Vector
Exploitation requires only network reachability to the IdentityIQ web interface. The attacker sends HTTP or HTTPS requests targeting file paths within the application directory that the server should restrict. No credentials, tokens, or user interaction are required. Successful requests return the protected file content directly in the HTTP response.
No verified public proof-of-concept exploit code is currently available. For technical specifics, refer to the SailPoint Security Advisory CVE-2024-10905.
Detection Methods for CVE-2024-10905
Indicators of Compromise
- HTTP/HTTPS requests targeting unusual paths under the IdentityIQ application directory from unauthenticated sources
- Successful 200 OK responses to requests for static resources that normally require authentication
- Anomalous spikes in GET requests for file extensions such as .xml, .properties, or .xhtml against the IdentityIQ host
- Outbound traffic from internal scanners or reconnaissance tools probing IdentityIQ URLs
Detection Strategies
- Review web server and reverse proxy access logs for requests to IdentityIQ static paths originating from unauthenticated sessions
- Correlate web access logs with authentication events to flag resource retrievals lacking a preceding login
- Deploy WAF or IDS signatures that match enumeration patterns against IdentityIQ application directory paths
Monitoring Recommendations
- Enable verbose access logging on the IdentityIQ application server and forward logs to a centralized analytics platform
- Establish baselines for normal authenticated traffic patterns and alert on deviations targeting static resource paths
- Monitor for repeated 404 and 403 responses that may indicate path enumeration prior to a successful retrieval
How to Mitigate CVE-2024-10905
Immediate Actions Required
- Upgrade IdentityIQ 8.4 deployments to patch level 8.4p2 or later
- Upgrade IdentityIQ 8.3 deployments to patch level 8.3p5 or later
- Upgrade IdentityIQ 8.2 deployments to patch level 8.2p8 or later, and migrate any unsupported versions to a fixed release
- Audit web access logs for evidence of prior exploitation attempts against the application directory
Patch Information
SailPoint has released fixed patch levels addressing the improper access control flaw. Customers should apply 8.4p2, 8.3p5, or 8.2p8 according to their installed major version. Detailed remediation guidance is provided in the SailPoint Security Advisory CVE-2024-10905.
Workarounds
- Restrict access to the IdentityIQ web interface using network segmentation, VPN, or zero-trust gateways until patches are applied
- Configure a reverse proxy or WAF rule set to block direct requests to static paths under the IdentityIQ application directory
- Enforce authentication challenges at the perimeter for all paths served by the IdentityIQ application context
# Example Apache reverse proxy rule blocking unauthenticated access to sensitive IdentityIQ paths
<LocationMatch "^/identityiq/(WEB-INF|META-INF|config|.*\.properties)">
Require all denied
</LocationMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
