CVE-2025-21085 (GCVE-0-2025-21085)
Vulnerability from cvelistv5
Published
2025-06-15 14:25
Modified
2025-06-16 18:08
Severity ?
2.1 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber
CWE
  • CWE-462 - Duplicate Key in Associative List
Summary
PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
References
Impacted products
Vendor Product Version
Ping Identity PingFederate Version: 12.2.0   < 12.2.4
Version: 12.1.0   < 12.1.9
Version: 12.0   < 12.0.9
Version: 11.3.0   < 11.3.13
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-21085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T18:08:12.829414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T18:08:20.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "PostgreSQL"
          ],
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "PingFederate",
          "vendor": "Ping Identity",
          "versions": [
            {
              "lessThan": "12.2.4",
              "status": "affected",
              "version": "12.2.0",
              "versionType": "custom"
            },
            {
              "lessThan": "12.1.9",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "12.0.9",
              "status": "affected",
              "version": "12.0",
              "versionType": "custom"
            },
            {
              "lessThan": "11.3.13",
              "status": "affected",
              "version": "11.3.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."
            }
          ],
          "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-462",
              "description": "CWE-462 Duplicate Key in Associative List",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-15T14:25:39.067Z",
        "orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
        "shortName": "Ping Identity"
      },
      "references": [
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "PingFederate OAuth Grant attribute duplication may use excessive memory",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Configuration options to mitigate:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimum Interval to Roll Refresh Tokens\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRefresh Token Rolling Grace Period (Seconds)\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Configuration options to mitigate:\n  *  Minimum Interval to Roll Refresh Tokens\n  *  Refresh Token Rolling Grace Period (Seconds)"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
    "assignerShortName": "Ping Identity",
    "cveId": "CVE-2025-21085",
    "datePublished": "2025-06-15T14:25:39.067Z",
    "dateReserved": "2025-04-16T01:21:55.198Z",
    "dateUpdated": "2025-06-16T18:08:20.514Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21085\",\"sourceIdentifier\":\"responsible-disclosure@pingidentity.com\",\"published\":\"2025-06-15T15:15:18.330\",\"lastModified\":\"2025-06-16T12:32:18.840\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.\"},{\"lang\":\"es\",\"value\":\"La duplicaci\u00f3n de concesiones OAuth2 de PingFederate en el almacenamiento persistente de PostgreSQL permite que las solicitudes OAuth2 utilicen una memoria excesiva.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"responsible-disclosure@pingidentity.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:X/RE:L/U:Amber\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"PRESENT\",\"Automatable\":\"YES\",\"Recovery\":\"AUTOMATIC\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"AMBER\"}}]},\"weaknesses\":[{\"source\":\"responsible-disclosure@pingidentity.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-462\"}]}],\"references\":[{\"url\":\"https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL\",\"source\":\"responsible-disclosure@pingidentity.com\"},{\"url\":\"https://www.pingidentity.com/en/resources/downloads/pingfederate.html\",\"source\":\"responsible-disclosure@pingidentity.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"PingFederate OAuth Grant attribute duplication may use excessive memory\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-130\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-130 Excessive Allocation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"PRESENT\", \"version\": \"4.0\", \"Recovery\": \"AUTOMATIC\", \"baseScore\": 2.1, \"Automatable\": \"YES\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Ping Identity\", \"modules\": [\"PostgreSQL\"], \"product\": \"PingFederate\", \"versions\": [{\"status\": \"affected\", \"version\": \"12.2.0\", \"lessThan\": \"12.2.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.1.0\", \"lessThan\": \"12.1.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"12.0\", \"lessThan\": \"12.0.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"11.3.0\", \"lessThan\": \"11.3.13\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL\", \"tags\": [\"mitigation\"]}, {\"url\": \"https://www.pingidentity.com/en/resources/downloads/pingfederate.html\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Configuration options to mitigate:\\n  *  Minimum Interval to Roll Refresh Tokens\\n  *  Refresh Token Rolling Grace Period (Seconds)\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Configuration options to mitigate:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimum Interval to Roll Refresh Tokens\u003c/li\u003e\u003cli\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eRefresh Token Rolling Grace Period (Seconds)\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-462\", \"description\": \"CWE-462 Duplicate Key in Associative List\"}]}], \"providerMetadata\": {\"orgId\": \"5998a2e9-ae88-42cd-b6e0-7564fd979f9e\", \"shortName\": \"Ping Identity\", \"dateUpdated\": \"2025-06-15T14:25:39.067Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21085\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-16T18:08:12.829414Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-06-16T18:08:17.680Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21085\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-15T14:25:39.067Z\", \"dateReserved\": \"2025-04-16T01:21:55.198Z\", \"assignerOrgId\": \"5998a2e9-ae88-42cd-b6e0-7564fd979f9e\", \"datePublished\": \"2025-06-15T14:25:39.067Z\", \"assignerShortName\": \"Ping Identity\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.