Pingidentity Pingfederate — known CVE vulnerabilities
Every CVE whose affected-product data names Pingidentity Pingfederate, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2021-40329 — CVSS 9.8 (critical): The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
CVE-2023-40545 — CVSS 8.8 (high): Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially…
CVE-2023-37283 — CVSS 8.1 (high): Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
CVE-2022-40722 — CVSS 7.7 (high): A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile…
CVE-2023-39219 — CVSS 7.5 (high): PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading…
CVE-2021-41770 — CVSS 7.5 (high): Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
CVE-2022-40723 — CVSS 6.5 (medium): The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under…
CVE-2022-23722 — CVSS 6.5 (medium): When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID…
CVE-2014-8489 — CVSS 6.4 (medium): Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to redirect…
CVE-2022-40724 — CVSS 6.4 (medium): The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted…
CVE-2021-42000 — CVSS 5.3 (medium): When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy…
CVE-2023-34085 — CVSS 2.6 (low): When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a…
CVE-2024-22477 — CVSS 1.8 (low): A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console…