CVE-2024-3319 – This vulnerability allows authenticated adminis... (How to Fix)

Q: What is the severity of CVE-2024-3319?

CVE-2024-3319 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated administrators in SailPoint Identity Security Cloud to execute arbitrary code on the host system by using user-defined templates in attribute transform previews. It affects organizations using SailPoint ISC with administrator accounts that have access to transform preview and IdentityProfile preview API endpoints.

📋 TL;DR

This vulnerability allows authenticated administrators in SailPoint Identity Security Cloud to execute arbitrary code on the host system by using user-defined templates in attribute transform previews. It affects organizations using SailPoint ISC with administrator accounts that have access to transform preview and IdentityProfile preview API endpoints.

💻 Affected Systems

Products:

SailPoint Identity Security Cloud

Versions: Specific versions not publicly disclosed in references; check vendor advisory for exact affected versions

Operating Systems: Cloud-hosted platform (OS details not specified)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated administrator access to the vulnerable API endpoints. Cloud deployment means customers don't manage underlying OS.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, or establish persistent backdoors on the host system.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive identity data, configuration manipulation, or lateral movement within the identity management infrastructure.

🟢

If Mitigated

Limited impact if proper access controls restrict administrator privileges and network segmentation isolates the ISC environment.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials but the vulnerability is in core API functionality that administrators would normally access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references; check vendor advisory for exact patched version

Vendor Advisory: https://www.sailpoint.com/security-advisories/

Restart Required: No

Instructions:

1. Access SailPoint ISC admin console. 2. Check current version against vendor advisory. 3. If vulnerable, contact SailPoint support for patching instructions. 4. Apply security updates as directed by SailPoint.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Temporarily limit administrator access to only essential personnel and monitor for suspicious API calls to transform preview endpoints.

No OS-level commands - implement via SailPoint ISC admin console

API Endpoint Monitoring

all

Implement enhanced logging and alerting for calls to /api/v3/transform/preview and related IdentityProfile preview endpoints.

Configure via SailPoint logging settings and SIEM integration

🧯 If You Can't Patch

Implement strict least-privilege access controls for administrator accounts
Enable comprehensive API call logging and real-time monitoring for suspicious transform preview activities

🔍 How to Verify

Check if Vulnerable:

Check your SailPoint ISC version against the vendor security advisory and verify if you have administrator access to transform preview functionality.

Check Version:

Check version in SailPoint ISC admin console under System Information or contact SailPoint support

Verify Fix Applied:

Confirm with SailPoint support that your instance has received the security update and test that user-defined templates cannot execute arbitrary code.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to transform preview endpoints
Administrator accounts performing unexpected template executions
Error logs showing template execution failures

Network Indicators:

Abnormal traffic patterns to /api/v3/transform/preview endpoints
Unexpected outbound connections from ISC hosts

SIEM Query:

source="sailpoint_isc" AND (uri_path="/api/v3/transform/preview" OR uri_path CONTAINS "IdentityProfile/preview") AND user_role="administrator"

📊 Metadata

CVE ID: CVE-2024-3319

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: May 15, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3319, you might also want to check these: