Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for PingAccess by Ping Identity
CVE-2024-23983 (GCVE-0-2024-23983)
Vulnerability from cvelistv5 – Published: 2024-11-11 22:56 – Updated: 2024-11-12 18:51
VLAI
Title
Access rules for PingAccess may be circumvented with URL-encoded characters
Summary
Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingAccess |
Affected:
8.1.0 , < 8.1.1
(custom)
Affected: 8.0.0 , < 8.0.4 (custom) Affected: 7.3.0 , < 7.3.5 (custom) Affected: 7.2.0 , < 7.2.4 (custom) Affected: 7.1.0 , < 7.1.5 (custom) Affected: 7.0.0 , < 7.0.8 (custom) Affected: 6.0.0 , < 6.3.9 (custom) |
|
| pingidentity | pingaccess |
Affected:
8.1.0 , < 8.1.1
(custom)
Affected: 8.0.0 , < 8.0.4 (custom) Affected: 7.3.0 , < 7.3.5 (custom) Affected: 7.2.0 , < 7.2.4 (custom) Affected: 7.1.0 , < 7.1.5 (custom) Affected: 7.0.0 , < 7.0.8 (custom) Affected: 6.0.0 , < 6.3.9 (custom) cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pingaccess",
"vendor": "pingidentity",
"versions": [
{
"lessThan": "8.1.1",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "7.3.5",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "7.1.5",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "6.3.9",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T18:49:35.472344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:51:50.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Rules engine"
],
"product": "PingAccess",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "8.1.1",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "7.3.5",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "7.1.5",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "6.3.9",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.\u003cbr\u003e"
}
],
"value": "Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-177",
"description": "CWE-177 Improper Handling of URL Encoding",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T22:56:58.036Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/pingaccess/latest/release_notes/pa_811_rn.html"
},
{
"url": "https://www.pingidentity.com/en/resources/downloads/pingaccess.html"
}
],
"source": {
"defect": [
"PA-15776"
],
"discovery": "EXTERNAL"
},
"title": "Access rules for PingAccess may be circumvented with URL-encoded characters",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2024-23983",
"datePublished": "2024-11-11T22:56:58.036Z",
"dateReserved": "2024-02-29T23:52:30.472Z",
"dateUpdated": "2024-11-12T18:51:50.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23316 (GCVE-0-2024-23316)
Vulnerability from cvelistv5 – Published: 2024-05-31 19:08 – Updated: 2024-08-01 22:59
VLAI
Title
PingAccess HTTP Request Desynchronization Weakness
Summary
HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingAccess |
Affected:
0 , < 8.0.1
(custom)
|
|
| pingidentity | pingaccess |
Affected:
0 , < 8.0.1
(custom)
cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pingaccess",
"vendor": "pingidentity",
"versions": [
{
"lessThan": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:21:45.806966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T18:41:55.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pingidentity.com/s/article/SECADV045-PA-HTTP-Smuggling"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingaccess-80/pa_801_rn"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingaccess.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PingAccess",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests."
}
],
"value": "HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/S:P/AU:Y/R:A/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-31T19:08:35.381Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://support.pingidentity.com/s/article/SECADV045-PA-HTTP-Smuggling"
},
{
"url": "https://docs.pingidentity.com/r/en-us/pingaccess-80/pa_801_rn"
},
{
"url": "https://www.pingidentity.com/en/resources/downloads/pingaccess.html"
}
],
"source": {
"advisory": "SECADV045",
"defect": [
"PA-15610"
],
"discovery": "EXTERNAL"
},
"title": "PingAccess HTTP Request Desynchronization Weakness",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2024-23316",
"datePublished": "2024-05-31T19:08:35.381Z",
"dateReserved": "2024-01-17T17:27:24.608Z",
"dateUpdated": "2024-08-01T22:59:32.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31923 (GCVE-0-2021-31923)
Vulnerability from cvelistv5 – Published: 2021-09-24 02:30 – Updated: 2024-08-03 23:10
VLAI
Summary
Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.
Severity
No CVSS data available.
CWE
- HTTP Request Smuggling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.pingidentity.com/bundle/pingaccess-5… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingAccess |
Affected:
5.3
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:31.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PingAccess",
"vendor": "Ping Identity",
"versions": [
{
"status": "affected",
"version": "5.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits Portswigger Research for the discovery of this vulnerability."
},
{
"lang": "en",
"value": "Ping Identity credits MUFG Union Bank for their responsible disclosure."
}
],
"descriptions": [
{
"lang": "en",
"value": "Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "HTTP Request Smuggling",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T14:30:08.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2021-31923",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingAccess",
"version": {
"version_data": [
{
"version_value": "5.3"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits Portswigger Research for the discovery of this vulnerability."
},
{
"lang": "eng",
"value": "Ping Identity credits MUFG Union Bank for their responsible disclosure."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html",
"refsource": "CONFIRM",
"url": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2021-31923",
"datePublished": "2021-09-24T02:30:11.000Z",
"dateReserved": "2021-04-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:10:31.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23983 (GCVE-0-2024-23983)
Vulnerability from nvd – Published: 2024-11-11 22:56 – Updated: 2024-11-12 18:51
VLAI
Title
Access rules for PingAccess may be circumvented with URL-encoded characters
Summary
Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingAccess |
Affected:
8.1.0 , < 8.1.1
(custom)
Affected: 8.0.0 , < 8.0.4 (custom) Affected: 7.3.0 , < 7.3.5 (custom) Affected: 7.2.0 , < 7.2.4 (custom) Affected: 7.1.0 , < 7.1.5 (custom) Affected: 7.0.0 , < 7.0.8 (custom) Affected: 6.0.0 , < 6.3.9 (custom) |
|
| pingidentity | pingaccess |
Affected:
8.1.0 , < 8.1.1
(custom)
Affected: 8.0.0 , < 8.0.4 (custom) Affected: 7.3.0 , < 7.3.5 (custom) Affected: 7.2.0 , < 7.2.4 (custom) Affected: 7.1.0 , < 7.1.5 (custom) Affected: 7.0.0 , < 7.0.8 (custom) Affected: 6.0.0 , < 6.3.9 (custom) cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pingaccess",
"vendor": "pingidentity",
"versions": [
{
"lessThan": "8.1.1",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "7.3.5",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "7.1.5",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "6.3.9",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T18:49:35.472344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:51:50.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Rules engine"
],
"product": "PingAccess",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "8.1.1",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "7.3.5",
"status": "affected",
"version": "7.3.0",
"versionType": "custom"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "7.1.5",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "6.3.9",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules.\u003cbr\u003e"
}
],
"value": "Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-177",
"description": "CWE-177 Improper Handling of URL Encoding",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T22:56:58.036Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/pingaccess/latest/release_notes/pa_811_rn.html"
},
{
"url": "https://www.pingidentity.com/en/resources/downloads/pingaccess.html"
}
],
"source": {
"defect": [
"PA-15776"
],
"discovery": "EXTERNAL"
},
"title": "Access rules for PingAccess may be circumvented with URL-encoded characters",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2024-23983",
"datePublished": "2024-11-11T22:56:58.036Z",
"dateReserved": "2024-02-29T23:52:30.472Z",
"dateUpdated": "2024-11-12T18:51:50.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23316 (GCVE-0-2024-23316)
Vulnerability from nvd – Published: 2024-05-31 19:08 – Updated: 2024-08-01 22:59
VLAI
Title
PingAccess HTTP Request Desynchronization Weakness
Summary
HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingAccess |
Affected:
0 , < 8.0.1
(custom)
|
|
| pingidentity | pingaccess |
Affected:
0 , < 8.0.1
(custom)
cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pingidentity:pingaccess:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pingaccess",
"vendor": "pingidentity",
"versions": [
{
"lessThan": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T15:21:45.806966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T18:41:55.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pingidentity.com/s/article/SECADV045-PA-HTTP-Smuggling"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingaccess-80/pa_801_rn"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingaccess.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PingAccess",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "8.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests."
}
],
"value": "HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/S:P/AU:Y/R:A/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-31T19:08:35.381Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://support.pingidentity.com/s/article/SECADV045-PA-HTTP-Smuggling"
},
{
"url": "https://docs.pingidentity.com/r/en-us/pingaccess-80/pa_801_rn"
},
{
"url": "https://www.pingidentity.com/en/resources/downloads/pingaccess.html"
}
],
"source": {
"advisory": "SECADV045",
"defect": [
"PA-15610"
],
"discovery": "EXTERNAL"
},
"title": "PingAccess HTTP Request Desynchronization Weakness",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2024-23316",
"datePublished": "2024-05-31T19:08:35.381Z",
"dateReserved": "2024-01-17T17:27:24.608Z",
"dateUpdated": "2024-08-01T22:59:32.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31923 (GCVE-0-2021-31923)
Vulnerability from nvd – Published: 2021-09-24 02:30 – Updated: 2024-08-03 23:10
VLAI
Summary
Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.
Severity
No CVSS data available.
CWE
- HTTP Request Smuggling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://docs.pingidentity.com/bundle/pingaccess-5… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingAccess |
Affected:
5.3
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:31.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PingAccess",
"vendor": "Ping Identity",
"versions": [
{
"status": "affected",
"version": "5.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits Portswigger Research for the discovery of this vulnerability."
},
{
"lang": "en",
"value": "Ping Identity credits MUFG Union Bank for their responsible disclosure."
}
],
"descriptions": [
{
"lang": "en",
"value": "Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "HTTP Request Smuggling",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-18T14:30:08.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2021-31923",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingAccess",
"version": {
"version_data": [
{
"version_value": "5.3"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits Portswigger Research for the discovery of this vulnerability."
},
{
"lang": "eng",
"value": "Ping Identity credits MUFG Union Bank for their responsible disclosure."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "HTTP Request Smuggling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html",
"refsource": "CONFIRM",
"url": "https://docs.pingidentity.com/bundle/pingaccess-53/page/wco1629833104567.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2021-31923",
"datePublished": "2021-09-24T02:30:11.000Z",
"dateReserved": "2021-04-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:10:31.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}