Vendor scorecard
Ping Identity
Ping Identity security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: pingidentity
Product families
1
Open in latest
9
Inferred — see methodology
Last disclosure
Jul 9, 2024
01
Product categories
1 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| PingFederate / PingAccessIdentity & Access Managementpingfederate, pingaccess, pingdirectory… | 18 | 9 | 1.19LOW |
02
Recent CVEs
12 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2024-22477(opens NVD record) | Low | 1.8 | A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. | Jul 9, 2024 |
| CVE-2024-22377(opens NVD record) | Medium | 5.3 | The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. | Jul 9, 2024 |
| CVE-2023-40545(opens NVD record) | High | 8.8 | Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | Feb 6, 2024 |
| CVE-2023-36496(opens NVD record) | High | 7.7 | Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server. | Feb 1, 2024 |
| CVE-2023-39219(opens NVD record) | High | 7.5 | PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests | Oct 25, 2023 |
| CVE-2023-37283(opens NVD record) | High | 8.1 | Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter | Oct 25, 2023 |
| CVE-2023-34085(opens NVD record) | Low | 2.6 | When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request | Oct 25, 2023 |
| CVE-2022-40724(opens NVD record) | Medium | 6.4 | The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. | Apr 25, 2023 |
| CVE-2022-40723(opens NVD record) | Medium | 6.5 | The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. | Apr 25, 2023 |
| CVE-2022-40722(opens NVD record) | High | 7.7 | A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. | Apr 25, 2023 |
| CVE-2022-23722(opens NVD record) | Medium | 6.5 | When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. | May 2, 2022 |
| CVE-2021-41994(opens NVD record) | Medium | 6.6 | A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login. | Apr 30, 2022 |
18 CVEs · 1 product families