Common Weakness Enumeration

CWE-462

Allowed

Duplicate Key in Associative List (Alist)

Abstraction: Variant · Status: Incomplete

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

2 vulnerabilities reference this CWE, most recent first.

CVE-2025-21085 (GCVE-0-2025-21085)

Vulnerability from cvelistv5 – Published: 2025-06-15 14:25 – Updated: 2025-06-16 18:08
VLAI
Title
PingFederate OAuth Grant attribute duplication may use excessive memory
Summary
PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-462 - Duplicate Key in Associative List
Assigner
Impacted products
Vendor Product Version
Ping Identity PingFederate Affected: 12.2.0 , < 12.2.4 (custom)
Affected: 12.1.0 , < 12.1.9 (custom)
Affected: 12.0 , < 12.0.9 (custom)
Affected: 11.3.0 , < 11.3.13 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-21085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T18:08:12.829414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T18:08:20.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "PostgreSQL"
          ],
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "PingFederate",
          "vendor": "Ping Identity",
          "versions": [
            {
              "lessThan": "12.2.4",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "12.1.9",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "12.0.9",
              "status": "affected",
              "version": "12.0",
              "versionType": "custom"
            },
            {
              "lessThan": "11.3.13",
              "status": "affected",
              "version": "11.3.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."
            }
          ],
          "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-462",
              "description": "CWE-462 Duplicate Key in Associative List",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-15T14:25:39.067Z",
        "orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
        "shortName": "Ping Identity"
      },
      "references": [
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "PingFederate OAuth Grant attribute duplication may use excessive memory",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Configuration options to mitigate:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimum Interval to Roll Refresh Tokens\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRefresh Token Rolling Grace Period (Seconds)\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Configuration options to mitigate:\n  *  Minimum Interval to Roll Refresh Tokens\n  *  Refresh Token Rolling Grace Period (Seconds)"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
    "assignerShortName": "Ping Identity",
    "cveId": "CVE-2025-21085",
    "datePublished": "2025-06-15T14:25:39.067Z",
    "dateReserved": "2025-04-16T01:21:55.198Z",
    "dateUpdated": "2025-06-16T18:08:20.514Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-4755-93R4-QVXJ

Vulnerability from github – Published: 2025-06-15 15:30 – Updated: 2025-06-15 15:30
VLAI
Details

PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-462"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-15T15:15:18Z",
    "severity": "LOW"
  },
  "details": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.",
  "id": "GHSA-4755-93r4-qvxj",
  "modified": "2025-06-15T15:30:31Z",
  "published": "2025-06-15T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21085"
    },
    {
      "type": "WEB",
      "url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL"
    },
    {
      "type": "WEB",
      "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:X/RE:L/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Use a hash table instead of an alist.

Mitigation
Architecture and Design

Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.

No CAPEC attack patterns related to this CWE.