CVE-2025-21085 - Vulnerability Details - OpenCVE

PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL
https://www.pingidentity.com/en/resources/downloads/pingfederate.html

History

Mon, 16 Jun 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 15 Jun 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
Title		PingFederate OAuth Grant attribute duplication may use excessive memory
Weaknesses		CWE-462
References		https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL https://www.pingidentity.com/en/resources/downloads/pingfederate.html
Metrics		cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published: 2025-06-15T14:25:39.067Z

Updated: 2025-06-16T18:08:20.514Z

Reserved: 2025-04-16T01:21:55.198Z

Link: CVE-2025-21085

Vulnrichment

Updated: 2025-06-16T18:08:17.680Z

NVD

Status : Awaiting Analysis

Published: 2025-06-15T15:15:18.330

Modified: 2025-06-16T12:32:18.840

Link: CVE-2025-21085

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21085", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "state": "PUBLISHED", "assignerShortName": "Ping Identity", "dateReserved": "2025-04-16T01:21:55.198Z", "datePublished": "2025-06-15T14:25:39.067Z", "dateUpdated": "2025-06-16T18:08:20.514Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["PostgreSQL"], "platforms": ["Windows", "Linux"], "product": "PingFederate", "vendor": "Ping Identity", "versions": [{"lessThan": "12.2.4", "status": "affected", "version": "12.2.0", "versionType": "custom"}, {"lessThan": "12.1.9", "status": "affected", "version": "12.1.0", "versionType": "custom"}, {"lessThan": "12.0.9", "status": "affected", "version": "12.0", "versionType": "custom"}, {"lessThan": "11.3.13", "status": "affected", "version": "11.3.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."}], "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.1, "baseSeverity": "LOW", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-462", "description": "CWE-462 Duplicate Key in Associative List", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2025-06-15T14:25:39.067Z"}, "references": [{"tags": ["mitigation"], "url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL"}, {"tags": ["patch"], "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"}], "source": {"discovery": "EXTERNAL"}, "title": "PingFederate OAuth Grant attribute duplication may use excessive memory", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Configuration options to mitigate:<br><ul><li>Minimum Interval to Roll Refresh Tokens</li><li><span style=\"background-color: rgb(255, 255, 255);\">Refresh Token Rolling Grace Period (Seconds)</span><br></li></ul>"}], "value": "Configuration options to mitigate:\n * Minimum Interval to Roll Refresh Tokens\n * Refresh Token Rolling Grace Period (Seconds)"}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T18:08:12.829414Z", "id": "CVE-2025-21085", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T18:08:20.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "PingFederate OAuth Grant attribute duplication may use excessive memory", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 2.1, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ping Identity", "modules": ["PostgreSQL"], "product": "PingFederate", "versions": [{"status": "affected", "version": "12.2.0", "lessThan": "12.2.4", "versionType": "custom"}, {"status": "affected", "version": "12.1.0", "lessThan": "12.1.9", "versionType": "custom"}, {"status": "affected", "version": "12.0", "lessThan": "12.0.9", "versionType": "custom"}, {"status": "affected", "version": "11.3.0", "lessThan": "11.3.13", "versionType": "custom"}], "platforms": ["Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL", "tags": ["mitigation"]}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html", "tags": ["patch"]}], "workarounds": [{"lang": "en", "value": "Configuration options to mitigate:\n * Minimum Interval to Roll Refresh Tokens\n * Refresh Token Rolling Grace Period (Seconds)", "supportingMedia": [{"type": "text/html", "value": "Configuration options to mitigate:<br><ul><li>Minimum Interval to Roll Refresh Tokens</li><li><span style=\"background-color: rgb(255, 255, 255);\">Refresh Token Rolling Grace Period (Seconds)</span><br></li></ul>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.", "supportingMedia": [{"type": "text/html", "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-462", "description": "CWE-462 Duplicate Key in Associative List"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2025-06-15T14:25:39.067Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-21085", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T18:08:12.829414Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-06-16T18:08:17.680Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-21085", "state": "PUBLISHED", "dateUpdated": "2025-06-15T14:25:39.067Z", "dateReserved": "2025-04-16T01:21:55.198Z", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "datePublished": "2025-06-15T14:25:39.067Z", "assignerShortName": "Ping Identity"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."}, {"lang": "es", "value": "La duplicaci\u00f3n de concesiones OAuth2 de PingFederate en el almacenamiento persistente de PostgreSQL permite que las solicitudes OAuth2 utilicen una memoria excesiva."}], "id": "CVE-2025-21085", "lastModified": "2025-06-16T12:32:18.840", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:X/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}, "published": "2025-06-15T15:15:18.330", "references": [{"source": "responsible-disclosure@pingidentity.com", "url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL"}, {"source": "responsible-disclosure@pingidentity.com", "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"}], "sourceIdentifier": "responsible-disclosure@pingidentity.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-462"}], "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}