14 matches found
CVE-2022-23722
PingFederate Password Reset vulnerability (CVE-2022-23722): when the password-reset mechanism uses the Authentication API with an Authentication Policy, email OTP, PingID, or SMS, an existing user can reset another user’s password. The connected sources describe the issue and its impact but do no...
CVE-2021-41770
PingFederate (Ping Identity) before version 10.3.1 is vulnerable to an XXE attack due to improper pre-parsing validation, potentially allowing XML file disclosure. Affected product: PingFederate. Root cause: mishandled pre-parsing validation. Impact: XML data disclosure. Remediation: upgrade to P...
CVE-2021-42000
CVE-2021-42000 affects Ping Identity PingFederate. The issue arises when a password reset or password change flow uses an authentication policy and the policy’s adapter supports multiple parallel reset flows. This can allow an existing user to reset the password of another existing user, represen...
CVE-2023-40545
CVE-2023-40545 describes an authentication bypass in PingFederate when an OAuth2 Client uses the client_secret_jwt authentication method on affected PingFederate 11.3 versions via specially crafted requests. Red Hat and NVD entries corroborate the bypass affecting 11.3, with the impact described ...
CVE-2024-22377
CVE-2024-22377 concerns PingFederate: the deploy directory on runtime nodes is reachable to unauthorized users, enabling potential access to deployment files. Public sources (CNNVD) indicate PingFederate versions prior to 12.0.1 are affected; no fix version is listed there, but other references i...
CVE-2024-22477
PingFederate OIDC Policy Management Editor in the admin console has a cross-site scripting vulnerability affecting admin console users. The issue is described across multiple sources (CVE-2024-22477) with no publicly documented exploit details in the provided materials. Impact is limited to admin...
CVE-2014-8489
PingFederate 6.10.1 SP Endpoints is affected by an open redirect vulnerability in startSSO.ping, allowing remote attackers to redirect users via the TargetResource parameter and potentially enable phishing. Public references describe the vulnerability as a URL redirection to untrusted sites (CWE-...
CVE-2022-40724
CVE-2022-40724 affects PingFederate Local Identity Profiles endpoint /pf/idprofile.ping and is a Cross-Site Request Forgery vulnerability triggered by crafted GET requests. Root cause: CSRF on the /pf/idprofile.ping endpoint as described in the CVE record. Impact, per NVD metrics, include high co...
CVE-2023-39219
CVE-2023-39219 : PingFederate Administrative Console dependency contains a weakness that can render the console unresponsive via crafted Java class loading enumeration requests. Documented as a high-severity issue with Network access and HIGH availability impact, but public details on affected ve...
CVE-2023-34085
CVE-2023-34085 describes a vulnerability where, if an AWS DynamoDB table is used for storing user attributes, an attacker can craft a request to retrieve another user’s attributes. The connected records corroborate this label and tie the issue to Ping Identity PingFederate and related disclosures...
CVE-2021-40329
Summary: CVE-2021-40329 affects Ping Identity PingFederate’s Authentication API prior to version 10.3, where external password management is mishandled. The vulnerability is tied to authentication handling and could impact confidentiality, integrity, and availability as reflected by the CVSS metr...
CVE-2023-37283
The CVE-2023-37283 entry concerns Ping Identity PingFederate’s Identifier First Adapter. Affects PingFederate Identifier First Adapter under a very specific, highly unrecommended configuration, enabling an authentication bypass. Documented impact includes HIGH confidentiality and HIGH integrity (...
CVE-2022-40722
CVE-2022-40722 concerns a misconfiguration of RSA padding in the PingID Adapter for PingFederate used to support Offline MFA with PingID mobile authenticators. Red Hat, NVD, CNNVD and other sources describe that this faulty padding enables pre-computed dictionary attacks that bypass offline MFA. ...
CVE-2022-40723
The CVE-2022-40723 entry concerns the PingID RADIUS PCV adapter for PingFederate. Reports in connected sources confirm a configuration-based MFA bypass vulnerability in this component (PingID RADIUS PCV adapter) with no explicit affected version ranges provided. Documented impact is MFA bypass un...