6.3
CVE-2026-20746
- EPSS 0.28%
- Veröffentlicht 12.06.2026 02:16:59
- Zuletzt bearbeitet 12.06.2026 16:06:17
- Quelle responsible-disclosure@pingide
- CVE-Watchlists
- Unerledigt
PingDirectory copying of virtual attributes leads to memory exhaustion
Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPing Identity
≫
Produkt
PingDirectory
Default Statusunaffected
Version <=
9.3.0.8
Version
9.3.0.0
Status
affected
Version <=
10.1.0.5
Version
10.1.0.0
Status
unknown
Version <=
10.2.0.5
Version
10.2.0.0
Status
affected
Version <=
10.3.0.3
Version
10.3.0.0
Status
affected
Version
11.0.0.0
Version <
11.0.0.1
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.193 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| responsible-disclosure@pingidentity.com | 6.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber
|
CWE-401 Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html
https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026
https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes