github - ghsa-p8q7-x4rw-5v8m

ghsa-p8q7-x4rw-5v8m

Vulnerability from github

Published

2025-06-15 15:30

Modified

2025-06-15 15:30

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:P/AU:Y/R:A/RE:M/U:Red

Details

Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-22854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-394"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-15T15:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Improper handling of non-200 http responses in\u00a0the PingFederate Google Adapter\u00a0leads to thread exhaustion under normal usage conditions.",
  "id": "GHSA-p8q7-x4rw-5v8m",
  "modified": "2025-06-15T15:30:31Z",
  "published": "2025-06-15T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22854"
    },
    {
      "type": "WEB",
      "url": "https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html"
    },
    {
      "type": "WEB",
      "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:X/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2025-22854 (GCVE-0-2025-22854)

Vulnerability from cvelistv5

Published

2025-06-15 15:00

Modified

2025-06-16 18:07

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:P/AU:Y/R:A/RE:M/U:Red

CWE

CWE-394 - Unexpected Status Code or Return Value

Summary

Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.

References

►

URL

Tags

	https://www.pingidentity.com/en/resources/downloads/pingfederate.html	patch
	https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html	release-notes

Impacted products

	Vendor	Product	Version
	Ping Identity	PingFederate	Version: 1.0.1 < 1.5.2

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22854",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T18:07:24.657856Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T18:07:39.037Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "Google Adapter",
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "PingFederate",
          "vendor": "Ping Identity",
          "versions": [
            {
              "lessThan": "1.5.2",
              "status": "affected",
              "version": "1.0.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper handling of non-200 http responses in\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;the PingFederate Google Adapter\u003c/span\u003e\u0026nbsp;leads to thread exhaustion under normal usage conditions."
            }
          ],
          "value": "Improper handling of non-200 http responses in\u00a0the PingFederate Google Adapter\u00a0leads to thread exhaustion under normal usage conditions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        },
        {
          "capecId": "CAPEC-469",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-469 HTTP DoS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:P/AU:Y/R:A/RE:M/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-394",
              "description": "CWE-394 Unexpected Status Code or Return Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-15T15:00:06.010Z",
        "orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
        "shortName": "Ping Identity"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html"
        }
      ],
      "source": {
        "advisory": "SECADV048",
        "defect": [
          "IK-3678"
        ],
        "discovery": "USER"
      },
      "title": "Possible thread exhaustion from processing http responses in PingFederate Google Adapter",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
    "assignerShortName": "Ping Identity",
    "cveId": "CVE-2025-22854",
    "datePublished": "2025-06-15T15:00:06.010Z",
    "dateReserved": "2025-01-13T16:41:43.959Z",
    "dateUpdated": "2025-06-16T18:07:39.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.