CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-21832 – PingFederate REST API Data Store Injection
https://notcve.org/view.php?id=CVE-2024-21832
09 Jul 2024 — A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. Existe un posible vector de ataque de inyección JSON en los almacenes de datos de la API REST de PingFederate utilizando el método POST y un cuerpo de solicitud JSON. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22377 – PingFederate Runtime Node Path Traversal
https://notcve.org/view.php?id=CVE-2024-22377
09 Jul 2024 — The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. El directorio de implementación en los nodos de tiempo de ejecución de PingFederate es accesible para usuarios no autorizados. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22477 – PingFederate OIDC Policy Management Editor Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-22477
09 Jul 2024 — A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. Existe una vulnerabilidad de Cross Site Scripting en la consola de administración de OIDC Policy Management Editor. El impacto está limitado a los usuarios de la consola de administración únicamente. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-40148 – PingFederate Server Side Request Forgery vulnerability
https://notcve.org/view.php?id=CVE-2023-40148
10 Apr 2024 — Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests. Server-Side Request Forgery (SSRF) en PingFederate permite que las solicitudes http no autenticadas ataquen recursos de la red y consuman recursos del lado del servidor a través de solicitudes HTTP POST falsificadas. • https://docs.pingidentity.com/r/en-us/pingfederate-120/tuj1708533127032 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34085 – User Attribute Disclosure via DynamoDB Data Stores
https://notcve.org/view.php?id=CVE-2023-34085
25 Oct 2023 — When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request Cuando se utiliza una tabla de AWS DynamoDB para el almacenamiento de atributos de usuario, es posible recuperar los atributos de otro usuario mediante una solicitud manipulada con fines malintencionados. • https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-39219 – Admin Console Denial of Service via Java class enumeration
https://notcve.org/view.php?id=CVE-2023-39219
25 Oct 2023 — PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests La dependencia de la consola administrativa de PingFederate contiene una debilidad donde la consola deja de responder con solicitudes de enumeración de carga de clases Java manipuladas • https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-37283 – Authentication Bypass via HTML Form & Identifier First Adapter
https://notcve.org/view.php?id=CVE-2023-37283
25 Oct 2023 — Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter Bajo una configuración muy específica y altamente no recomendada, la omisión de autenticación es posible en PingFederate Identifier First Adapter • https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244 • CWE-287: Improper Authentication •
CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2022-40722 – Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate.
https://notcve.org/view.php?id=CVE-2022-40722
25 Apr 2023 — A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. • https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-780: Use of RSA Algorithm without OAEP •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-40723 – Configuration-based MFA Bypass in PingID RADIUS PCV.
https://notcve.org/view.php?id=CVE-2022-40723
25 Apr 2023 — The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. • https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-40724 – Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint.
https://notcve.org/view.php?id=CVE-2022-40724
25 Apr 2023 — The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. • https://docs.pingidentity.com/r/en-us/pingfederate-110/fll1675188537050 • CWE-352: Cross-Site Request Forgery (CSRF) •