CVE-2024-21832 – PingFederate REST API Data Store Injection
https://notcve.org/view.php?id=CVE-2024-21832
A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. Existe un posible vector de ataque de inyección JSON en los almacenes de datos de la API REST de PingFederate utilizando el método POST y un cuerpo de solicitud JSON. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-22377 – PingFederate Runtime Node Path Traversal
https://notcve.org/view.php?id=CVE-2024-22377
The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. El directorio de implementación en los nodos de tiempo de ejecución de PingFederate es accesible para usuarios no autorizados. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-22477 – PingFederate OIDC Policy Management Editor Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-22477
A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. Existe una vulnerabilidad de Cross Site Scripting en la consola de administración de OIDC Policy Management Editor. El impacto está limitado a los usuarios de la consola de administración únicamente. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-40148 – PingFederate Server Side Request Forgery vulnerability
https://notcve.org/view.php?id=CVE-2023-40148
Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests. Server-Side Request Forgery (SSRF) en PingFederate permite que las solicitudes http no autenticadas ataquen recursos de la red y consuman recursos del lado del servidor a través de solicitudes HTTP POST falsificadas. • https://docs.pingidentity.com/r/en-us/pingfederate-120/tuj1708533127032 https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-34085 – User Attribute Disclosure via DynamoDB Data Stores
https://notcve.org/view.php?id=CVE-2023-34085
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request Cuando se utiliza una tabla de AWS DynamoDB para el almacenamiento de atributos de usuario, es posible recuperar los atributos de otro usuario mediante una solicitud manipulada con fines malintencionados. • https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244 https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •