CVE-2024-21832

PingFederate REST API Data Store Injection

Severity Score

3.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.

Existe un posible vector de ataque de inyección JSON en los almacenes de datos de la API REST de PingFederate utilizando el método POST y un cuerpo de solicitud JSON.

*Credits: N/A

CVSS Scores

Ping Identity Corporationv3.1 3.5

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-17 CVE Reserved
2024-07-09 CVE Published
2024-07-10 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

CAPEC-242: Code Injection

References (1)

URL	Tag	Source
https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ping Identity Search vendor "Ping Identity"		PingFederate Search vendor "Ping Identity" for product "PingFederate"				>= 11.0.0 <= 11.0.9 Search vendor "Ping Identity" for product "PingFederate" and version " >= 11.0.0 <= 11.0.9"		en		Affected
Ping Identity Search vendor "Ping Identity"		PingFederate Search vendor "Ping Identity" for product "PingFederate"				>= 11.1.0 <= 11.1.9 Search vendor "Ping Identity" for product "PingFederate" and version " >= 11.1.0 <= 11.1.9"		en		Affected
Ping Identity Search vendor "Ping Identity"		PingFederate Search vendor "Ping Identity" for product "PingFederate"				>= 11.2.0 <= 11.2.8 Search vendor "Ping Identity" for product "PingFederate" and version " >= 11.2.0 <= 11.2.8"		en		Affected
Ping Identity Search vendor "Ping Identity"		PingFederate Search vendor "Ping Identity" for product "PingFederate"				>= 11.3.0 <= 11.3.4 Search vendor "Ping Identity" for product "PingFederate" and version " >= 11.3.0 <= 11.3.4"		en		Affected