Latest Pingidentity Vulnerabilities

PingFederate OAuth client_secret_jwt Authentication Bypass
Pingidentity Pingfederate=11.3.0
Delegated Admin Virtual Attribute Provider Privilege Escalation
Pingidentity Pingdirectory>=8.3.0.0<=8.3.0.8
Pingidentity Pingdirectory>=9.0.0.0<=9.0.0.5
Pingidentity Pingdirectory>=9.1.0.0<=9.1.0.2
Pingidentity Pingdirectory=9.2.0.0
Pingidentity Pingdirectory=9.2.0.1
Pingidentity Pingdirectory=9.3.0.0
and 1 more
A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request.
Pingidentity Pingid Radius Pcv>=3.0.0<3.0.3
PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit...
Pingidentity Pingone Mfa Integration Kit=2.2
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
Pingidentity Pingfederate>=10.3.0<=10.3.12
Pingidentity Pingfederate>=11.1.0<=11.1.7
Pingidentity Pingfederate>=11.2.0<=11.2.6
Pingidentity Pingfederate=11.3.0
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
Pingidentity Pingfederate>=10.3.0<=10.3.12
Pingidentity Pingfederate>=11.1.0<=11.1.7
Pingidentity Pingfederate>=11.2.0<=11.2.6
Pingidentity Pingfederate=11.3.0
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
Pingidentity Pingfederate<=11.3.0
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machi...
Pingidentity Pingid Integration For Windows Login<2.9
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading ...
Pingidentity Pingfederate>=11.1.0<=11.1.5
Pingidentity Pingfederate>=11.2.0<=11.2.2
Pingidentity Pingid Adapter For Pingfederate<2.13.2
Pingidentity Pingid Integration Kit<2.24
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
Pingidentity Pingfederate>=10.3.0<=10.3.11
Pingidentity Pingfederate>=11.0.0<=11.0.6
Pingidentity Pingfederate>=11.1.0<=11.1.5
Pingidentity Pingfederate>=11.2.0<=11.2.2
Pingidentity Pingfederate>=11.1.0<=11.1.5
Pingidentity Pingfederate>=11.2.0<=11.2.2
Pingidentity Pingid Integration Kit<2.24
Pingidentity Radius Pcv>=3.0.0<3.0.2
Pingidentity Radius Pcv=2.10.0
PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.
Pingidentity Desktop<1.7.4
Ping Identity Self-Service Account Manager SSAMController.java cross site scripting
Pingidentity Self-service Account Manager=1.1.2
=1.1.2
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information.
Pingidentity Pingcentral>=1.8<1.8.4
Pingidentity Pingcentral>=1.9<1.9.3
PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication.
Pingidentity Pingid Integration For Windows Login<2.8
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrato...
Pingidentity Pingid Integration For Windows Login<2.8
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.
Pingidentity Pingid Integration For Windows Login<2.8
Pingidentity Pingid Integration For Windows Login<2.8
Pingidentity Pingid Integration For Mac Login<1.1
Apple macOS
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machin...
Pingidentity Pingid Integration For Windows Login<2.8
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To...
Pingidentity Pingid Integration For Windows Login<2.4.2
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow.
Pingidentity Pingone Mfa Integration Kit=1.4
Pingidentity Pingone Mfa Integration Kit=1.4.1
Pingidentity Pingone Mfa Integration Kit=1.5
Pingidentity Pingone Mfa Integration Kit=1.5.1
Pingidentity Pingone Mfa Integration Kit=1.5.2
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another exi...
Pingidentity Pingfederate>=9.3.0<9.3.3
Pingidentity Pingfederate>=10.0.0<10.0.12
Pingidentity Pingfederate>=10.1.0<10.1.9
Pingidentity Pingfederate>=10.2.0<10.2.7
Pingidentity Pingfederate>=10.3.0<10.3.4
Pingidentity Pingfederate=9.3.3-p15
and 1 more
PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successf...
Pingidentity Pingid Desktop<1.7.3
Pingidentity Pingid Desktop<1.7.3
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.
Pingidentity Pingid Integration For Windows Login<2.7
A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.
Pingidentity Pingid<1.19
Pingidentity Pingid Windows Login
A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.
Pingidentity Pingid<1.19
Pingidentity Pingid Windows Login
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can res...
Pingidentity Pingfederate<=9.3.0
Pingidentity Pingfederate>=10.0.0<=10.0.11
Pingidentity Pingfederate>=10.1.0<=10.1.8
Pingidentity Pingfederate>=10.2.0<=10.2.6
Pingidentity Pingfederate>=10.3.0<=10.3.2
Pingidentity Pingfederate=9.3.3
and 1 more
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
Pingidentity Pingfederate<10.3.1
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
Pingidentity Pingfederate<10.3
Pingidentity Pingaccess<5.3.3
In Ping Identity RSA SecurID Integration Kit before 3.2, user impersonation can occur.
Pingidentity Rsa Securid Integration Kit<3.2
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
Pingidentity Pingid Integration For Windows Login<2.4.2
Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow in PingID-enrolled servers. This condition can be potentially exploited into a Remote Code Execution vector on the authenticating...
Pingidentity Pingid Ssh Integration<4.0.14
XSS exists in Ping Identity Agentless Integration Kit before 1.5.
Pingidentity Agentless Integration Kit<1.5

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203