Pingidentity Pingfederate

14 CVEs affecting Pingidentity Pingfederate. Latest disclosed: 2024-07-09. Critical: 1, High: 5.

Top CVEs affecting Pingidentity Pingfederate
CVESeverityScorePublishedSummary
CVE-2021-40329Critical9.82021-09-27The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
CVE-2023-40545High8.82024-02-06Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.
CVE-2023-37283High8.12023-10-25Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
CVE-2022-40722High7.72023-04-25A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to…
CVE-2023-39219High7.52023-10-25PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
CVE-2021-41770High7.52021-10-07Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
CVE-2022-40723Medium6.52023-04-25The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
CVE-2022-23722Medium6.52022-05-02When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authenticatio…
CVE-2022-40724Medium6.42023-04-25The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
CVE-2024-22377Medium5.32024-07-09The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.
CVE-2021-42000Medium5.32022-02-10When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple paral…
CVE-2023-34085Low2.62023-10-25When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
CVE-2024-22477Low1.82024-07-09A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.
CVE-2014-84892014-12-12Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to redirect users to arbitrary we…