Vulnerabilities > Pingidentity > Pingfederate
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-09 | CVE-2024-22377 | Path Traversal vulnerability in Pingidentity Pingfederate The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. | 5.3 |
| 2024-07-09 | CVE-2024-22477 | Cross-site Scripting vulnerability in Pingidentity Pingfederate A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. | 4.3 |
| 2024-02-06 | CVE-2023-40545 | Missing Authentication for Critical Function vulnerability in Pingidentity Pingfederate 11.3.0 Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | 9.8 |
| 2023-10-25 | CVE-2023-34085 | Unspecified vulnerability in Pingidentity Pingfederate When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request | 4.3 |
| 2023-10-25 | CVE-2023-37283 | Improper Authentication vulnerability in Pingidentity Pingfederate Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter | 9.8 |
| 2023-10-25 | CVE-2023-39219 | Resource Exhaustion vulnerability in Pingidentity Pingfederate PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests | 7.5 |
| 2023-04-25 | CVE-2022-40722 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Pingidentity products A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. | 5.8 |
| 2023-04-25 | CVE-2022-40723 | Improper Authentication vulnerability in Pingidentity Pingfederate, Pingid Integration KIT and Radius PCV The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. | 6.5 |
| 2023-04-25 | CVE-2022-40724 | Cross-Site Request Forgery (CSRF) vulnerability in Pingidentity Pingfederate 10.3.0/10.3.4/11.0.0 The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. | 8.8 |
| 2022-05-02 | CVE-2022-23722 | Improper Authentication vulnerability in Pingidentity Pingfederate When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. | 6.5 |