Latest Pingidentity Vulnerabilities

CVE-2023-40545
PingFederate OAuth client_secret_jwt Authentication Bypass
Pingidentity Pingfederate=11.3.0
CVE-2023-36496
Delegated Admin Virtual Attribute Provider Privilege Escalation
Pingidentity Pingdirectory>=8.3.0.0<=8.3.0.8
Pingidentity Pingdirectory>=9.0.0.0<=9.0.0.5
Pingidentity Pingdirectory>=9.1.0.0<=9.1.0.2
Pingidentity Pingdirectory=9.2.0.0
Pingidentity Pingdirectory=9.2.0.1
Pingidentity Pingdirectory=9.3.0.0
and 1 more
CVE-2023-39930
A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request.
Pingidentity Pingid Radius Pcv>=3.0.0<3.0.3
CVE-2023-39231
PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit...
Pingidentity Pingone Mfa Integration Kit=2.2
CVE-2023-39219
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
Pingidentity Pingfederate>=10.3.0<=10.3.12
Pingidentity Pingfederate>=11.1.0<=11.1.7
Pingidentity Pingfederate>=11.2.0<=11.2.6
Pingidentity Pingfederate=11.3.0
CVE-2023-37283
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
Pingidentity Pingfederate>=10.3.0<=10.3.12
Pingidentity Pingfederate>=11.1.0<=11.1.7
Pingidentity Pingfederate>=11.2.0<=11.2.6
Pingidentity Pingfederate=11.3.0
CVE-2023-34085
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
Pingidentity Pingfederate<=11.3.0
CVE-2022-40724
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
Pingidentity Pingfederate>=10.3.0<=10.3.11
Pingidentity Pingfederate>=11.0.0<=11.0.6
Pingidentity Pingfederate>=11.1.0<=11.1.5
Pingidentity Pingfederate>=11.2.0<=11.2.2
CVE-2022-23721
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machi...
Pingidentity Pingid Integration For Windows Login<2.9
CVE-2022-40722
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading ...
Pingidentity Pingfederate>=11.1.0<=11.1.5
Pingidentity Pingfederate>=11.2.0<=11.2.2
Pingidentity Pingid Adapter For Pingfederate<2.13.2
Pingidentity Pingid Integration Kit<2.24
CVE-2022-40723
Pingidentity Pingfederate>=11.1.0<=11.1.5
Pingidentity Pingfederate>=11.2.0<=11.2.2
Pingidentity Pingid Integration Kit<2.24
Pingidentity Radius Pcv>=3.0.0<3.0.2
Pingidentity Radius Pcv=2.10.0
CVE-2022-40725
PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.
Pingidentity Desktop<1.7.4
CVE-2018-25084
Ping Identity Self-Service Account Manager SSAMController.java cross site scripting
Pingidentity Self-service Account Manager=1.1.2
=1.1.2
CVE-2022-23726
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information.
Pingidentity Pingcentral>=1.8<1.8.4
Pingidentity Pingcentral>=1.9<1.9.3
CVE-2022-23720
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrato...
Pingidentity Pingid Integration For Windows Login<2.8
CVE-2022-23717
PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication.
Pingidentity Pingid Integration For Windows Login<2.8
CVE-2022-23725
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.
Pingidentity Pingid Integration For Windows Login<2.8
CVE-2022-23718
Pingidentity Pingid Integration For Windows Login<2.8
CVE-2021-41995
Pingidentity Pingid Integration For Mac Login<1.1
Apple macOS
CVE-2022-23719
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machin...
Pingidentity Pingid Integration For Windows Login<2.8
CVE-2022-23724
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To...
Pingidentity Pingid Integration For Windows Login<2.4.2
CVE-2022-23722
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another exi...
Pingidentity Pingfederate>=9.3.0<9.3.3
Pingidentity Pingfederate>=10.0.0<10.0.12
Pingidentity Pingfederate>=10.1.0<10.1.9
Pingidentity Pingfederate>=10.2.0<10.2.7
Pingidentity Pingfederate>=10.3.0<10.3.4
Pingidentity Pingfederate=9.3.3-p15
and 1 more
CVE-2022-23723
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow.
Pingidentity Pingone Mfa Integration Kit=1.4
Pingidentity Pingone Mfa Integration Kit=1.4.1
Pingidentity Pingone Mfa Integration Kit=1.5
Pingidentity Pingone Mfa Integration Kit=1.5.1
Pingidentity Pingone Mfa Integration Kit=1.5.2
CVE-2021-42001
PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successf...
Pingidentity Pingid Desktop<1.7.3
Pingidentity Pingid Desktop<1.7.3
CVE-2021-41992
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.
Pingidentity Pingid Integration For Windows Login<2.7
CVE-2021-41994
A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.
Pingidentity Pingid<1.19
Pingidentity Pingid Windows Login
CVE-2021-41993
A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.
Pingidentity Pingid<1.19
Pingidentity Pingid Windows Login
CVE-2021-42000
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can res...
Pingidentity Pingfederate<=9.3.0
Pingidentity Pingfederate>=10.0.0<=10.0.11
Pingidentity Pingfederate>=10.1.0<=10.1.8
Pingidentity Pingfederate>=10.2.0<=10.2.6
Pingidentity Pingfederate>=10.3.0<=10.3.2
Pingidentity Pingfederate=9.3.3
and 1 more
CVE-2021-41770
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.
Pingidentity Pingfederate<10.3.1
CVE-2021-40329
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
Pingidentity Pingfederate<10.3
CVE-2021-31923
Pingidentity Pingaccess<5.3.3
CVE-2021-39270
In Ping Identity RSA SecurID Integration Kit before 3.2, user impersonation can occur.
Pingidentity Rsa Securid Integration Kit<3.2
CVE-2020-25826
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
Pingidentity Pingid Integration For Windows Login<2.4.2
CVE-2020-10654
Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow in PingID-enrolled servers. This condition can be potentially exploited into a Remote Code Execution vector on the authenticating...
Pingidentity Pingid Ssh Integration<4.0.14
CVE-2019-13564
XSS exists in Ping Identity Agentless Integration Kit before 1.5.
Pingidentity Agentless Integration Kit<1.5

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203