CVE-2023-39219 – Admin Console Denial of Service via Java class enumeration
https://notcve.org/view.php?id=CVE-2023-39219
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests La dependencia de la consola administrativa de PingFederate contiene una debilidad donde la consola deja de responder con solicitudes de enumeración de carga de clases Java manipuladas • https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244 https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-37283 – Authentication Bypass via HTML Form & Identifier First Adapter
https://notcve.org/view.php?id=CVE-2023-37283
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter Bajo una configuración muy específica y altamente no recomendada, la omisión de autenticación es posible en PingFederate Identifier First Adapter • https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244 https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-287: Improper Authentication •
CVE-2022-40724 – Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint.
https://notcve.org/view.php?id=CVE-2022-40724
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. • https://docs.pingidentity.com/r/en-us/pingfederate-110/fll1675188537050 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-23722 – PingFederate Password Reset via Authentication API Mishandling
https://notcve.org/view.php?id=CVE-2022-23722
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. Cuando un mecanismo de restablecimiento de contraseña está configurado para usar la API de Autenticación con una Política de Autenticación, una Contraseña de Una sola vez por correo electrónico, PingID o autenticación por SMS, un usuario existente puede restablecer la contraseña de otro usuario existente • https://docs.pingidentity.com/bundle/pingfederate-110/page/spk1642790928508.html https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •