Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Pingfederate
(Pingidentity)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 14 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-07-09 | CVE-2024-22377 | The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. | Pingfederate | 5.3 | ||
| 2024-07-09 | CVE-2024-22477 | A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. | Pingfederate | 4.3 | ||
| 2024-02-06 | CVE-2023-40545 | Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | Pingfederate | 9.8 | ||
| 2023-10-25 | CVE-2023-37283 | Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter | Pingfederate | 9.8 | ||
| 2023-10-25 | CVE-2023-39219 | PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests | Pingfederate | 7.5 | ||
| 2021-09-27 | CVE-2021-40329 | The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. | Pingfederate | 9.8 | ||
| 2021-10-07 | CVE-2021-41770 | Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. | Pingfederate | 7.5 | ||
| 2022-05-02 | CVE-2022-23722 | When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. | Pingfederate | 6.5 | ||
| 2023-10-25 | CVE-2023-34085 | When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request | Pingfederate | 4.3 | ||
| 2023-04-25 | CVE-2022-40722 | A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. | Pingfederate, Pingid_adapter_for_pingfederate, Pingid_integration_kit | 5.8 |