CVE-2025-21085
2.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber
Summary
PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ping Identity | PingFederate | 12.2.0 < 12.2.4 | affected |
| Ping Identity | PingFederate | 12.1.0 < 12.1.9 | affected |
| Ping Identity | PingFederate | 12.0 < 12.0.9 | affected |
| Ping Identity | PingFederate | 11.3.0 < 11.3.13 | affected |
Weaknesses
- CWE-462: CWE-462 Duplicate Key in Associative List
Workarounds
Configuration options to mitigate:
- Minimum Interval to Roll Refresh Tokens
- Refresh Token Rolling Grace Period (Seconds)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL
- https://www.pingidentity.com/en/resources/downloads/pingfederate.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.