Pingidentity Pingfederate
14 CVEs affecting Pingidentity Pingfederate. Latest disclosed: 2024-07-09. Critical: 1, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-40329 | Critical | 9.8 | 2021-09-27 | The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. |
CVE-2023-40545 | High | 8.8 | 2024-02-06 | Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. |
CVE-2023-37283 | High | 8.1 | 2023-10-25 | Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter |
CVE-2022-40722 | High | 7.7 | 2023-04-25 | A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to… |
CVE-2023-39219 | High | 7.5 | 2023-10-25 | PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests |
CVE-2021-41770 | High | 7.5 | 2021-10-07 | Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. |
CVE-2022-40723 | Medium | 6.5 | 2023-04-25 | The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. |
CVE-2022-23722 | Medium | 6.5 | 2022-05-02 | When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authenticatio… |
CVE-2022-40724 | Medium | 6.4 | 2023-04-25 | The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. |
CVE-2024-22377 | Medium | 5.3 | 2024-07-09 | The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. |
CVE-2021-42000 | Medium | 5.3 | 2022-02-10 | When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple paral… |
CVE-2023-34085 | Low | 2.6 | 2023-10-25 | When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request |
CVE-2024-22477 | Low | 1.8 | 2024-07-09 | A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. |
CVE-2014-8489 | | 2014-12-12 | Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to redirect users to arbitrary we… |