GCVE - cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Pingidentity (`f56e02bf-5fbe-54aa-9dfd-2b764962bd7c`)
Product	Pingfederate (`a526eb7e-24df-5707-978d-39838877022a`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:docker/pingidentity/pingfederate`	purl2cpe	2026-06-01 10:12:01.767941

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-22477`	vulnerable	2026-06-03 14:55:01.245418	PingFederate OIDC Policy Management Editor Cross-Site Scripting LOW (1.8) A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. Published: 2024-07-09T23:01:28.611Z Updated: 2024-08-01T22:51:09.905Z Open on db.gcve.eu Reference links https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-22377`	vulnerable	2026-06-03 14:55:00.561601	PingFederate Runtime Node Path Traversal MEDIUM (5.3) The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. Published: 2024-07-09T23:03:27.722Z Updated: 2024-08-01T22:43:34.512Z Open on db.gcve.eu Reference links https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-40545`	vulnerable	2026-06-03 14:52:49.924324	PingFederate OAuth client_secret_jwt Authentication Bypass HIGH (8.8) Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. Published: 2024-02-06T17:27:42.361Z Updated: 2024-08-22T16:53:12.079Z Open on db.gcve.eu Reference links https://support.pingidentity.com/s/article/SECADV040-PingFederate-OAuth-Client-Authentication-Bypass https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html https://docs.pingidentity.com/r/en-us/pingfederate-113/hro1701116403236	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-39219`	vulnerable	2026-06-03 14:52:37.948398	Admin Console Denial of Service via Java class enumeration HIGH (7.5) PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests Published: 2023-10-25T01:44:44.362Z Updated: 2025-06-12T14:58:40.168Z Open on db.gcve.eu Reference links https://www.pingidentity.com/en/resources/downloads/pingfederate.html https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-37283`	vulnerable	2026-06-03 14:52:28.669423	Authentication Bypass via HTML Form & Identifier First Adapter HIGH (8.1) Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter Published: 2023-10-25T01:24:47.780Z Updated: 2024-08-02T17:09:34.014Z Open on db.gcve.eu Reference links https://www.pingidentity.com/en/resources/downloads/pingfederate.html https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-34085`	vulnerable	2026-06-03 14:52:15.584417	User Attribute Disclosure via DynamoDB Data Stores LOW (2.6) When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request Published: 2023-10-25T02:03:56.433Z Updated: 2024-09-10T15:05:08.099Z Open on db.gcve.eu Reference links https://www.pingidentity.com/en/resources/downloads/pingfederate.html https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-40724`	vulnerable	2026-06-03 14:48:03.468440	Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint. MEDIUM (6.4) The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. Published: 2023-04-25T00:00:00.000Z Updated: 2025-02-04T14:48:33.050Z Open on db.gcve.eu Reference links https://docs.pingidentity.com/r/en-us/pingfederate-110/fll1675188537050	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-40723`	vulnerable	2026-06-03 14:48:03.465659	Configuration-based MFA Bypass in PingID RADIUS PCV. MEDIUM (6.5) The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. Published: 2023-04-25T00:00:00.000Z Updated: 2025-02-04T14:48:54.313Z Open on db.gcve.eu Reference links https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-40722`	vulnerable	2026-06-03 14:48:03.460373	Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate. HIGH (7.7) A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. Published: 2023-04-25T00:00:00.000Z Updated: 2025-02-04T14:49:20.723Z Open on db.gcve.eu Reference links https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-23722`	vulnerable	2026-06-03 14:46:28.159608	PingFederate Password Reset via Authentication API Mishandling When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. Published: 2022-05-02T22:05:13.000Z Updated: 2024-08-03T03:51:46.174Z Open on db.gcve.eu Reference links https://www.pingidentity.com/en/resources/downloads/pingfederate.html https://docs.pingidentity.com/bundle/pingfederate-110/page/spk1642790928508.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-42000`	vulnerable	2026-06-03 14:45:26.487279	Ping Identity PingFederate Password Reset and Password Change Mishandling with an authentication policy in parallel reset flows MEDIUM (5.3) When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password. Published: 2022-02-10T22:30:11.000Z Updated: 2024-08-04T03:22:25.779Z Open on db.gcve.eu Reference links https://www.pingidentity.com/en/resources/downloads/pingfederate.html https://docs.pingidentity.com/bundle/pingfederate-103/page/hhm1634833631515.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-41770`	vulnerable	2026-06-03 14:45:26.204711	Details available Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. Published: 2021-10-07T06:24:36.000Z Updated: 2024-08-04T03:15:29.278Z Open on db.gcve.eu Reference links https://www.pingidentity.com/en/resources/downloads/pingfederate.html https://docs.pingidentity.com/bundle/pingfederate-103/page/ruz1628492711606.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-40329`	vulnerable	2026-06-03 14:45:23.356233	Details available The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. Published: 2021-09-27T16:22:11.000Z Updated: 2024-08-04T02:27:31.919Z Open on db.gcve.eu Reference links https://docs.pingidentity.com/bundle/pingfederate-103/page/cou1615333347158.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.