Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NPingidentity Pingfederate
APPPingidentity11.3.010.3.0 – 10.3.1211.1.0 – 11.1.711.2.0 – 11.2.6
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
Powiązane podatności
CVE-2021-40329CRITICAL9.8ten sam produkt
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external passwo...
CVE-2023-40545HIGH8.8ten sam produkt
Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affecte...
CVE-2023-39219HIGH7.5ten sam produkt
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with cra...
CVE-2022-40722HIGH7.7ten sam produkt
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA wi...
CVE-2021-41770HIGH7.5ten sam produkt
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can ...