threat
engine
.sh
Back
·
··:··
Home
/
Product
/
pingidentity pingfederate
Product
pingidentity pingfederate
14 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2024-22477
>= 10.3.0 and <= 10.3.13
A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin c
1.8
LOW
CVE-2024-22377
>= 10.3.0 and <= 10.3.13
The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.
5.3
MEDIUM
CVE-2023-40545
all versions
Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via
8.8
HIGH
CVE-2023-39219
>= 10.3.0 and <= 10.3.12
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class load
7.5
HIGH
CVE-2023-37283
>= 10.3.0 and <= 10.3.12
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier Fir
8.1
HIGH
CVE-2023-34085
<= 11.3.0
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a m
2.6
LOW
CVE-2022-40724
>= 10.3.0 and <= 10.3.11
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through
6.4
MEDIUM
CVE-2022-40723
>= 11.1.0 and <= 11.1.5
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass
6.5
MEDIUM
CVE-2022-40722
>= 11.1.0 and <= 11.1.5
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile aut
7.7
HIGH
CVE-2022-23722
>= 9.3.0 and < 9.3.3
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password
6.5
MEDIUM
CVE-2021-42000
<= 9.3.0
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change p
5.3
MEDIUM
CVE-2021-41770
< 10.3.1
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file dis
7.5
HIGH
CVE-2021-40329
< 10.3
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
9.8
CRITICAL
CVE-2014-8489
all versions
Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to r
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin