Pingfederate
Approved changes feed: RSS · Atom
cpe:2.3:a:ping_identity:pingfederate:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Ping Identity (6d158c0c-35d7-577e-9df0-1f89137d9677) |
|---|---|
| Product | Pingfederate (ae7bc1bb-a7bd-581c-8595-c13b01913f39) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-26862 |
vulnerable | 2026-06-03 15:00:08.575740 |
PingFederate unexpected browser flow initiation in redirectless mode
Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.
Published: 2025-10-27T14:39:41.284Z
Updated: 2025-10-27T14:48:11.544Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22854 |
vulnerable | 2026-06-03 14:59:41.610432 |
Possible thread exhaustion from processing http responses in PingFederate Google Adapter
Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.
Published: 2025-06-15T15:00:06.010Z
Updated: 2025-06-16T18:07:39.037Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-21085 |
vulnerable | 2026-06-03 14:59:17.241003 |
PingFederate OAuth Grant attribute duplication may use excessive memory
PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
Published: 2025-06-15T14:25:39.067Z
Updated: 2025-06-16T18:08:20.514Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-25573 |
vulnerable | 2026-06-03 14:55:13.699799 |
Stored Cross-Site Scripting in Administrative Console Context
Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.
Published: 2025-06-15T15:25:38.540Z
Updated: 2025-06-16T18:05:43.793Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-22477 |
vulnerable | 2026-06-03 14:55:01.245373 |
PingFederate OIDC Policy Management Editor Cross-Site Scripting
LOW (1.8)
A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.
Published: 2024-07-09T23:01:28.611Z
Updated: 2024-08-01T22:51:09.905Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-22377 |
vulnerable | 2026-06-03 14:55:00.560609 |
PingFederate Runtime Node Path Traversal
MEDIUM (5.3)
The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.
Published: 2024-07-09T23:03:27.722Z
Updated: 2024-08-01T22:43:34.512Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-21832 |
vulnerable | 2026-06-03 14:54:50.915360 |
PingFederate REST API Data Store Injection
LOW (3.5)
A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.
Published: 2024-07-09T23:04:55.088Z
Updated: 2024-08-01T22:27:36.324Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-40545 |
vulnerable | 2026-06-03 14:52:49.925064 |
PingFederate OAuth client_secret_jwt Authentication Bypass
HIGH (8.8)
Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.
Published: 2024-02-06T17:27:42.361Z
Updated: 2024-08-22T16:53:12.079Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-40148 |
vulnerable | 2026-06-03 14:52:42.596322 |
PingFederate Server Side Request Forgery vulnerability
MEDIUM (6.5)
Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests.
Published: 2024-04-10T00:03:31.966Z
Updated: 2024-08-12T15:09:02.174Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39219 |
vulnerable | 2026-06-03 14:52:37.947745 |
Admin Console Denial of Service via Java class enumeration
HIGH (7.5)
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
Published: 2023-10-25T01:44:44.362Z
Updated: 2025-06-12T14:58:40.168Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-37283 |
vulnerable | 2026-06-03 14:52:28.668807 |
Authentication Bypass via HTML Form & Identifier First Adapter
HIGH (8.1)
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
Published: 2023-10-25T01:24:47.780Z
Updated: 2024-08-02T17:09:34.014Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-34085 |
vulnerable | 2026-06-03 14:52:15.583440 |
User Attribute Disclosure via DynamoDB Data Stores
LOW (2.6)
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
Published: 2023-10-25T02:03:56.433Z
Updated: 2024-09-10T15:05:08.099Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40724 |
vulnerable | 2026-06-03 14:48:03.468391 |
Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint.
MEDIUM (6.4)
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
Published: 2023-04-25T00:00:00.000Z
Updated: 2025-02-04T14:48:33.050Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-23722 |
vulnerable | 2026-06-03 14:46:28.159038 |
PingFederate Password Reset via Authentication API Mishandling
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password.
Published: 2022-05-02T22:05:13.000Z
Updated: 2024-08-03T03:51:46.174Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-42000 |
vulnerable | 2026-06-03 14:45:26.487242 |
Ping Identity PingFederate Password Reset and Password Change Mishandling with an authentication policy in parallel reset flows
MEDIUM (5.3)
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.
Published: 2022-02-10T22:30:11.000Z
Updated: 2024-08-04T03:22:25.779Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-40329 |
vulnerable | 2026-06-03 14:45:23.355336 |
Details available
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
Published: 2021-09-27T16:22:11.000Z
Updated: 2024-08-04T02:27:31.919Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.