VYPR
Vendor

Pingidentity

Products
20
CVEs
54
Across products
57
Status
Private

Products

20

Recent CVEs

54
View all 54 CVEs →
  • CVE-2025-20059CriFeb 20, 2025
    risk 0.59cvss 9.1epss 0.01

    Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9.

  • CVE-2023-40356HigJul 9, 2024
    risk 0.57cvss epss 0.00

    PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from…

  • CVE-2024-23316HigMay 31, 2024
    risk 0.57cvss epss 0.01

    HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests.

  • CVE-2025-27935HigDec 4, 2025
    risk 0.56cvss epss 0.00

    The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication.

  • CVE-2017-6062HigMar 2, 2017
    risk 0.56cvss 8.6epss 0.04

    The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass…

  • CVE-2023-40702HigJul 9, 2024
    risk 0.50cvss epss 0.00

    PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability…

  • CVE-2017-6059HigApr 12, 2017
    risk 0.49cvss 7.5epss 0.05

    Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request.

  • CVE-2025-20628MedApr 7, 2026
    risk 0.45cvss epss 0.00

    An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a…

  • CVE-2024-25573MedJun 15, 2025
    risk 0.45cvss epss 0.00

    Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.

  • CVE-2025-22854MedJun 15, 2025
    risk 0.45cvss epss 0.00

    Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.

  • CVE-2023-40148MedApr 10, 2024
    risk 0.42cvss 6.5epss 0.00

    Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests.

  • CVE-2026-20746MedJun 12, 2026
    risk 0.41cvss epss 0.00

    Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

  • CVE-2024-23983MedNov 11, 2024
    risk 0.38cvss epss 0.00

    Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.

  • CVE-2024-21832LowJul 9, 2024
    risk 0.23cvss 3.5epss 0.00

    A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.

  • CVE-2024-23600LowAug 1, 2024
    risk 0.18cvss 2.7epss 0.01

    Improper Input Validation of query search results for private field data in PingIDM (Query Filter module) allows for a potentially efficient brute forcing approach leading to information disclosure.

  • CVE-2025-21085LowJun 15, 2025
    risk 0.14cvss epss 0.00

    PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.

  • CVE-2020-10654May 13, 2020
    risk 0.01cvss epss 0.03

    Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow in PingID-enrolled servers. This condition can be potentially exploited into a Remote Code Execution vector on the authenticating endpoint.

  • CVE-2025-26862NonOct 27, 2025
    risk 0.00cvss epss 0.00

    Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.

  • CVE-2024-22377Jul 9, 2024
    risk 0.00cvss epss 0.00

    The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.

  • CVE-2024-22477Jul 9, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.