Lucene search
K
PingidentityPingfederate

14 matches found

CVE
CVE
added 2022/05/02 10:5 p.m.728 views

CVE-2022-23722

PingFederate Password Reset vulnerability (CVE-2022-23722): when the password-reset mechanism uses the Authentication API with an Authentication Policy, email OTP, PingID, or SMS, an existing user can reset another user’s password. The connected sources describe the issue and its impact but do no...

6.5CVSS6.6AI score0.00571EPSS
CVE
CVE
added 2021/10/07 6:24 a.m.189 views

CVE-2021-41770

PingFederate (Ping Identity) before version 10.3.1 is vulnerable to an XXE attack due to improper pre-parsing validation, potentially allowing XML file disclosure. Affected product: PingFederate. Root cause: mishandled pre-parsing validation. Impact: XML data disclosure. Remediation: upgrade to P...

7.5CVSS7.9AI score0.00962EPSS
CVE
CVE
added 2022/02/10 10:30 p.m.106 views

CVE-2021-42000

CVE-2021-42000 affects Ping Identity PingFederate. The issue arises when a password reset or password change flow uses an authentication policy and the policy’s adapter supports multiple parallel reset flows. This can allow an existing user to reset the password of another existing user, represen...

6.5CVSS6AI score0.00535EPSS
CVE
CVE
added 2024/02/06 5:27 p.m.74 views

CVE-2023-40545

CVE-2023-40545 describes an authentication bypass in PingFederate when an OAuth2 Client uses the client_secret_jwt authentication method on affected PingFederate 11.3 versions via specially crafted requests. Red Hat and NVD entries corroborate the bypass affecting 11.3, with the impact described ...

9.8CVSS9.5AI score0.00933EPSS
CVE
CVE
added 2024/07/09 11:3 p.m.74 views

CVE-2024-22377

CVE-2024-22377 concerns PingFederate: the deploy directory on runtime nodes is reachable to unauthorized users, enabling potential access to deployment files. Public sources (CNNVD) indicate PingFederate versions prior to 12.0.1 are affected; no fix version is listed there, but other references i...

5.3CVSS5.2AI score0.00439EPSS
CVE
CVE
added 2024/07/09 11:1 p.m.65 views

CVE-2024-22477

PingFederate OIDC Policy Management Editor in the admin console has a cross-site scripting vulnerability affecting admin console users. The issue is described across multiple sources (CVE-2024-22477) with no publicly documented exploit details in the provided materials. Impact is limited to admin...

4.3CVSS3.8AI score0.00173EPSS
CVE
CVE
added 2014/12/12 3:0 p.m.55 views

CVE-2014-8489

PingFederate 6.10.1 SP Endpoints is affected by an open redirect vulnerability in startSSO.ping, allowing remote attackers to redirect users via the TargetResource parameter and potentially enable phishing. Public references describe the vulnerability as a URL redirection to untrusted sites (CWE-...

6.4CVSS6.8AI score0.02906EPSS
Web
CVE
CVE
added 2023/04/25 12:0 a.m.51 views

CVE-2022-40724

CVE-2022-40724 affects PingFederate Local Identity Profiles endpoint /pf/idprofile.ping and is a Cross-Site Request Forgery vulnerability triggered by crafted GET requests. Root cause: CSRF on the /pf/idprofile.ping endpoint as described in the CVE record. Impact, per NVD metrics, include high co...

8.8CVSS7.6AI score0.00181EPSS
CVE
CVE
added 2023/10/25 1:44 a.m.50 views

CVE-2023-39219

CVE-2023-39219 : PingFederate Administrative Console dependency contains a weakness that can render the console unresponsive via crafted Java class loading enumeration requests. Documented as a high-severity issue with Network access and HIGH availability impact, but public details on affected ve...

7.5CVSS7.5AI score0.00589EPSS
CVE
CVE
added 2023/10/25 2:3 a.m.46 views

CVE-2023-34085

CVE-2023-34085 describes a vulnerability where, if an AWS DynamoDB table is used for storing user attributes, an attacker can craft a request to retrieve another user’s attributes. The connected records corroborate this label and tie the issue to Ping Identity PingFederate and related disclosures...

4.3CVSS4AI score0.00467EPSS
CVE
CVE
added 2021/09/27 4:22 p.m.44 views

CVE-2021-40329

Summary: CVE-2021-40329 affects Ping Identity PingFederate’s Authentication API prior to version 10.3, where external password management is mishandled. The vulnerability is tied to authentication handling and could impact confidentiality, integrity, and availability as reflected by the CVSS metr...

9.8CVSS9.5AI score0.01113EPSS
CVE
CVE
added 2023/10/25 1:24 a.m.41 views

CVE-2023-37283

The CVE-2023-37283 entry concerns Ping Identity PingFederate’s Identifier First Adapter. Affects PingFederate Identifier First Adapter under a very specific, highly unrecommended configuration, enabling an authentication bypass. Documented impact includes HIGH confidentiality and HIGH integrity (...

9.8CVSS9.2AI score0.00748EPSS
CVE
CVE
added 2023/04/25 12:0 a.m.38 views

CVE-2022-40722

CVE-2022-40722 concerns a misconfiguration of RSA padding in the PingID Adapter for PingFederate used to support Offline MFA with PingID mobile authenticators. Red Hat, NVD, CNNVD and other sources describe that this faulty padding enables pre-computed dictionary attacks that bypass offline MFA. ...

7.7CVSS5.9AI score0.00328EPSS
CVE
CVE
added 2023/04/25 12:0 a.m.36 views

CVE-2022-40723

The CVE-2022-40723 entry concerns the PingID RADIUS PCV adapter for PingFederate. Reports in connected sources confirm a configuration-based MFA bypass vulnerability in this component (PingID RADIUS PCV adapter) with no explicit affected version ranges provided. Documented impact is MFA bypass un...

6.5CVSS6.7AI score0.00517EPSS