Lucene search

SailPointCVE-2024-3317

HistoryMay 15, 2024 - 4:15 p.m.

CVE-2024-3317

2024-05-1516:15:10

CWE-1284

SailPoint

web.nvd.nist.gov

improper access control

identity security cloud

isc message server

authenticated user

exfiltrate

job processing metadata

other tenants

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

Percentile

9.0%

JSON

An improper access control was identified in the Identity Security Cloud (ISC) message server API that allowed an authenticated user to exfiltrate job processing metadata (opaque messageIDs, work queue depth and counts) for other tenants.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Identity Security Cloud",
    "vendor": "SailPoint",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

www.sailpoint.com/security-advisories/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-3317