CVE-2023-32217

Summary

IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.

Affected Software

VendorProductVersion RangeStatus
SailPointIdentityIQ8.3 <= 8.3p2affected
SailPointIdentityIQ8.2 <= 8.2p5affected
SailPointIdentityIQ8.1 <= 8.1p6affected
SailPointIdentityIQ8.0 <= 8.0p5affected

Weaknesses

  • CWE-470: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References