CVSS: 3.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-21832 – PingFederate REST API Data Store Injection
https://notcve.org/view.php?id=CVE-2024-21832
A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. Existe un posible vector de ataque de inyección JSON en los almacenes de datos de la API REST de PingFederate utilizando el método POST y un cuerpo de solicitud JSON. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22377 – PingFederate Runtime Node Path Traversal
https://notcve.org/view.php?id=CVE-2024-22377
The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. El directorio de implementación en los nodos de tiempo de ejecución de PingFederate es accesible para usuarios no autorizados. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 1.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22477 – PingFederate OIDC Policy Management Editor Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-22477
A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. Existe una vulnerabilidad de Cross Site Scripting en la consola de administración de OIDC Policy Management Editor. El impacto está limitado a los usuarios de la consola de administración únicamente. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-40148 – PingFederate Server Side Request Forgery vulnerability
https://notcve.org/view.php?id=CVE-2023-40148
Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests. Server-Side Request Forgery (SSRF) en PingFederate permite que las solicitudes http no autenticadas ataquen recursos de la red y consuman recursos del lado del servidor a través de solicitudes HTTP POST falsificadas. • https://docs.pingidentity.com/r/en-us/pingfederate-120/tuj1708533127032 https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40545 – PingFederate OAuth client_secret_jwt Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-40545
Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. Omisión de autenticación cuando un cliente OAuth2 utiliza client_secret_jwt como método de autenticación en las versiones 11.3 afectadas a través de solicitudes especialmente manipuladas. • https://docs.pingidentity.com/r/en-us/pingfederate-113/hro1701116403236 https://support.pingidentity.com/s/article/SECADV040-PingFederate-OAuth-Client-Authentication-Bypass https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html • CWE-306: Missing Authentication for Critical Function •