Vulnerabilities > Pingidentity
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-06 | CVE-2023-40545 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingfederate 11.3.0 Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | 9.8 |
| 2024-02-01 | CVE-2023-36496 | Unspecified vulnerability in Pingidentity Pingdirectory Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server. | 8.8 |
| 2023-10-25 | CVE-2023-34085 | Unspecified vulnerability in Pingidentity Pingfederate When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request | 4.3 |
| 2023-10-25 | CVE-2023-37283 | Improper Authentication vulnerability in Pingidentity Pingfederate Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter | 9.8 |
| 2023-10-25 | CVE-2023-39219 | Resource Exhaustion vulnerability in Pingidentity Pingfederate PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests | 7.5 |
| 2023-10-25 | CVE-2023-39231 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingone MFA Integration KIT 2.2 PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. | 6.5 |
| 2023-10-25 | CVE-2023-39930 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingid Radius PCV A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request. | 9.8 |
| 2023-04-25 | CVE-2022-23721 | Injection vulnerability in Pingidentity Pingid Integration for Windows Login PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times. | 3.3 |
| 2023-04-25 | CVE-2022-40722 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Pingidentity products A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. | 5.8 |
| 2023-04-25 | CVE-2022-40723 | Improper Authentication vulnerability in Pingidentity Pingfederate, Pingid Integration KIT and Radius PCV The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. | 6.5 |