A path traversal vulnerability has been identified in the Spring Framework versions used by Identity Suite 15.0. An attacker could potentially craft malicious HTTP requests to obtain files from the file system accessible to the application process.

Affected Versions

• Identity Suite: 15.0 (including Fix Pack 6)
• Spring Framework:
  • 5.3.0 - 5.3.40
  • 6.0.0 - 6.0.24
  • 6.1.0 - 6.1.13
  • Older unsupported versions are also affected.

Identity Suite 15.0

The issue is caused by a known vulnerability in the Spring Framework (WebMvc.fn or WebFlux.fn) serving static resources, which allows for path traversal attacks.

Engineering has determined that a standalone fix for the 15.0 release cannot be provided because the resolution requires an upgrade of the underlying WorkPoint component.

Upgrade Path

The vulnerability is resolved by upgrading to Identity Suite 15.0.1.

• Fix Details: Identity Suite 15.0.1 includes an upgraded WorkPoint version (4.6.14) which incorporates Spring Framework 6.2.2.
• Availability: Identity Suite 15.0.1 is expected to be released by the end of June 2026.

Recommended Actions

1. Plan for Upgrade: Organizations currently on Identity Suite 15.0 should plan to adopt version 15.0.1 as soon as it becomes available.
2. Monitor Releases: Check the Identity Suite Release Notes for the official release of 15.0.1.