Vulnerabilities > Pingidentity
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-09 | CVE-2024-22377 | Path Traversal vulnerability in Pingidentity Pingfederate The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. | 5.3 |
| 2024-07-09 | CVE-2024-22477 | Cross-site Scripting vulnerability in Pingidentity Pingfederate A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. | 4.3 |
| 2024-02-06 | CVE-2023-40545 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingfederate 11.3.0 Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | 9.8 |
| 2024-02-01 | CVE-2023-36496 | Unspecified vulnerability in Pingidentity Pingdirectory Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server. | 8.8 |
| 2023-10-25 | CVE-2023-34085 | Unspecified vulnerability in Pingidentity Pingfederate When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request | 4.3 |
| 2023-10-25 | CVE-2023-37283 | Improper Authentication vulnerability in Pingidentity Pingfederate Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter | 9.8 |
| 2023-10-25 | CVE-2023-39219 | Resource Exhaustion vulnerability in Pingidentity Pingfederate PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests | 7.5 |
| 2023-10-25 | CVE-2023-39231 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingone MFA Integration KIT 2.2 PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. | 6.5 |
| 2023-10-25 | CVE-2023-39930 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingid Radius PCV A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request. | 9.8 |
| 2023-04-25 | CVE-2022-23721 | Injection vulnerability in Pingidentity Pingid Integration for Windows Login PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times. | 3.3 |