{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"assignerOrgId":"2cfc7547-56a0-4049-8b52-c3078e8a8719","assignerShortName":"SailPoint","cveId":"CVE-2023-32217","state":"PUBLISHED","dateUpdated":"2025-01-10T15:40:35.132Z","datePublished":"2023-05-31T00:00:00.000Z","dateReserved":"2023-05-04T20:01:49.973Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unknown","product":"IdentityIQ","vendor":"SailPoint","versions":[{"lessThanOrEqual":"8.3p2","status":"affected","version":"8.3","versionType":"semver"},{"lessThanOrEqual":"8.2p5","status":"affected","version":"8.2","versionType":"semver"},{"lessThanOrEqual":"8.1p6","status":"affected","version":"8.1","versionType":"semver"},{"lessThanOrEqual":"8.0p5","status":"affected","version":"8.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"Recurity Labs GmbH"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6&nbsp;allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath.<br><br>"}],"value":"IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6 allow an authenticated user to invoke a Java constructor with no arguments or a Java constructor with a single Map argument in any Java class available in the IdentityIQ application classpath."}],"impacts":[{"capecId":"CAPEC-138","descriptions":[{"lang":"en","value":"CAPEC-138 Reflection Injection"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-470","description":"CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2023-06-05T03:55:37.447Z","orgId":"2cfc7547-56a0-4049-8b52-c3078e8a8719","shortName":"SailPoint"},"references":[{"url":"https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/"}],"source":{"discovery":"EXTERNAL"},"title":"SailPoint IdentityIQ Unsafe use of Reflection Vulnerability","x_generator":{"engine":"SecretariatVulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T15:10:23.943Z"},"title":"CVE Program Container","references":[{"url":"https://www.sailpoint.com/security-advisories/sailpoint-identityiq-unsafe-use-of-reflection-vulnerability-cve-2023-32217/","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-01-10T15:40:05.443644Z","id":"CVE-2023-32217","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-01-10T15:40:35.132Z"}}]}}