CVE-2024-22377 - Vulnerability Details - OpenCVE

The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00272.

Key SSVC decision points have not yet been added.

Vendors	Products
Pingidentity	Pingfederate

Configuration 1 [-]

OR	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate:12.0.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-19934	The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.

Fixes

Solution

No solution given by the vendor.

Workaround

The deploy directory can be restricted by making changes to runtime jetty configuration.

References

Link	Providers
https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083

History

Mon, 19 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pingidentity Pingidentity pingfederate
CPEs		cpe:2.3:a:pingidentity:pingfederate:::::::: cpe:2.3:a:pingidentity:pingfederate:12.0.0:::::::*
Vendors & Products		Pingidentity Pingidentity pingfederate

MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published: 2024-07-09T23:03:27.722Z

Updated: 2024-08-01T22:43:34.512Z

Reserved: 2024-01-17T17:27:24.578Z

Link: CVE-2024-22377

Vulnrichment

Updated: 2024-08-01T22:43:34.512Z

NVD

Status : Modified

Published: 2024-07-09T23:15:10.620

Modified: 2024-11-21T08:56:09.157

Link: CVE-2024-22377

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22377", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "state": "PUBLISHED", "assignerShortName": "Ping Identity", "dateReserved": "2024-01-17T17:27:24.578Z", "datePublished": "2024-07-09T23:03:27.722Z", "dateUpdated": "2024-08-01T22:43:34.512Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html", "defaultStatus": "unaffected", "product": "PingFederate", "vendor": "Ping Identity", "versions": [{"lessThanOrEqual": "11.0.9", "status": "affected", "version": "11.0.0", "versionType": "custom"}, {"lessThanOrEqual": "11.1.9", "status": "affected", "version": "11.1.0", "versionType": "custom"}, {"lessThanOrEqual": "11.2.8", "status": "affected", "version": "11.2.0", "versionType": "custom"}, {"lessThanOrEqual": "11.3.4", "status": "affected", "version": "11.3.0", "versionType": "custom"}, {"status": "affected", "version": "12.0.0", "versionType": "custom"}, {"lessThanOrEqual": "10.3.13", "status": "affected", "version": "10.3.0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue.<br>"}], "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue."}], "datePublic": "2024-07-09T22:27:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.<br>"}], "value": "The deploy directory in PingFederate runtime nodes is reachable to unauthorized users."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2024-07-09T23:03:27.722Z"}, "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}], "source": {"discovery": "UNKNOWN"}, "title": "PingFederate Runtime Node Path Traversal", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The deploy directory can be restricted by making changes to runtime jetty configuration.  <br>"}], "value": "The deploy directory can be restricted by making changes to runtime jetty configuration."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "pingidentity", "product": "pingfederate", "cpes": ["cpe:2.3:a:pingidentity:pingfederate:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.3.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "10.3.0", "status": "affected", "lessThanOrEqual": "10.3.13", "versionType": "custom"}, {"version": "11.0.0", "status": "affected", "lessThanOrEqual": "11.0.9", "versionType": "custom"}, {"version": "11.1.0", "status": "affected", "lessThanOrEqual": "11.1.9", "versionType": "custom"}, {"version": "11.2.0", "status": "affected", "lessThanOrEqual": "11.2.8", "versionType": "custom"}, {"version": "11.3.0", "status": "affected", "lessThanOrEqual": "11.3.4", "versionType": "custom"}]}, {"vendor": "pingidentity", "product": "pingfederate", "cpes": ["cpe:2.3:a:pingidentity:pingfederate:12.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "12.0.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T13:15:10.302158Z", "id": "CVE-2024-22377", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T16:13:24.203Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.512Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.512Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22377", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-15T13:15:10.302158Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pingidentity:pingfederate:10.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:pingidentity:pingfederate:11.3.0:*:*:*:*:*:*:*"], "vendor": "pingidentity", "product": "pingfederate", "versions": [{"status": "affected", "version": "10.3.0", "versionType": "custom", "lessThanOrEqual": "10.3.13"}, {"status": "affected", "version": "11.0.0", "versionType": "custom", "lessThanOrEqual": "11.0.9"}, {"status": "affected", "version": "11.1.0", "versionType": "custom", "lessThanOrEqual": "11.1.9"}, {"status": "affected", "version": "11.2.0", "versionType": "custom", "lessThanOrEqual": "11.2.8"}, {"status": "affected", "version": "11.3.0", "versionType": "custom", "lessThanOrEqual": "11.3.4"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:pingidentity:pingfederate:12.0.0:*:*:*:*:*:*:*"], "vendor": "pingidentity", "product": "pingfederate", "versions": [{"status": "affected", "version": "12.0.0"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T13:19:48.976Z"}}], "cna": {"title": "PingFederate Runtime Node Path Traversal", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ping Identity", "product": "PingFederate", "versions": [{"status": "affected", "version": "11.0.0", "versionType": "custom", "lessThanOrEqual": "11.0.9"}, {"status": "affected", "version": "11.1.0", "versionType": "custom", "lessThanOrEqual": "11.1.9"}, {"status": "affected", "version": "11.2.0", "versionType": "custom", "lessThanOrEqual": "11.2.8"}, {"status": "affected", "version": "11.3.0", "versionType": "custom", "lessThanOrEqual": "11.3.4"}, {"status": "affected", "version": "12.0.0", "versionType": "custom"}, {"status": "affected", "version": "10.3.0", "versionType": "custom", "lessThanOrEqual": "10.3.13"}], "collectionURL": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html", "defaultStatus": "unaffected"}], "datePublic": "2024-07-09T22:27:00.000Z", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}], "workarounds": [{"lang": "en", "value": "The deploy directory can be restricted by making changes to runtime jetty configuration.", "supportingMedia": [{"type": "text/html", "value": "The deploy directory can be restricted by making changes to runtime jetty configuration.  <br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.", "supportingMedia": [{"type": "text/html", "value": "The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "configurations": [{"lang": "en", "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue.", "supportingMedia": [{"type": "text/html", "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue.<br>", "base64": false}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2024-07-09T23:03:27.722Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22377", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:43:34.512Z", "dateReserved": "2024-01-17T17:27:24.578Z", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "datePublished": "2024-07-09T23:03:27.722Z", "assignerShortName": "Ping Identity"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "73C9BB16-0B50-40AD-991D-CE55D1B4DE56", "versionEndIncluding": "10.3.13", "versionStartIncluding": "10.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A809B38-F404-4DB2-BD2C-68D2D4B98A68", "versionEndIncluding": "11.0.9", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "703CAE2D-061F-4FCC-A640-2649656830E4", "versionEndIncluding": "11.1.9", "versionStartIncluding": "11.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E7DA8B9-7439-4ABC-A37A-D9FF13D8884C", "versionEndIncluding": "11.2.8", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "4425C90D-DBB8-4090-A8F0-8ECE129D19DD", "versionEndIncluding": "11.3.4", "versionStartIncluding": "11.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A62E1361-EFC7-4242-88AD-995A113A6CFC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The deploy directory in PingFederate runtime nodes is reachable to unauthorized users."}, {"lang": "es", "value": "El directorio de implementaci\u00f3n en los nodos de tiempo de ejecuci\u00f3n de PingFederate es accesible para usuarios no autorizados."}], "id": "CVE-2024-22377", "lastModified": "2024-11-21T08:56:09.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-09T23:15:10.620", "references": [{"source": "responsible-disclosure@pingidentity.com", "tags": ["Broken Link"], "url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}], "sourceIdentifier": "responsible-disclosure@pingidentity.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}