oneidentity CVE Vulnerabilities & Metrics

Focus on oneidentity vulnerabilities and metrics.

Last updated: 26 Nov 2025, 23:25 UTC

About oneidentity Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with oneidentity. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total oneidentity CVEs: 10
Earliest CVE date: 28 Oct 2002, 05:00 UTC
Latest CVE date: 07 May 2025, 16:15 UTC

Latest CVE reference: CVE-2024-47619

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -50.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -50.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical oneidentity CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.9

Max CVSS: 9.3

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	6
7.0-8.9	2
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS oneidentity CVEs

These are the five CVEs with the highest CVSS scores for oneidentity, sorted by severity first and recency.

CVE-2008-5110 oneidentity Published on 17 Nov 2008, 22:21 UTC (CVSS: 9.3)
syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9.
CVE-2002-1200 oneidentity Published on 28 Oct 2002, 05:00 UTC (CVSS: 7.5)
Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when using template filenames or output, does not properly track the size of a buffer when constant characters are encountered during macro expansion, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.
CVE-2020-8019 oneidentity Published on 29 Jun 2020, 12:15 UTC (CVSS: 7.2)
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of syslog-ng of SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Module for Legacy Software 12, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server for SAP 12-SP1; openSUSE Backports SLE-15-SP1, openSUSE Leap ...
CVE-2011-0343 oneidentity Published on 28 Jan 2011, 16:00 UTC (CVSS: 6.9)
Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files.
CVE-2019-13498 oneidentity Published on 29 Jul 2019, 17:15 UTC (CVSS: 5.8)
One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.

All CVEs for oneidentity

CVE-2024-47619 oneidentity vulnerability CVSS: 0 07 May 2025, 16:15 UTC

syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.

CVE-2023-51772 oneidentity vulnerability CVSS: 0 25 Dec 2023, 06:15 UTC

One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM.

CVE-2023-48654 oneidentity vulnerability CVSS: 0 25 Dec 2023, 06:15 UTC

One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: go to the Google ReCAPTCHA section, click on the Privacy link, observe that there is a new browser window, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and launch cmd.exe as NT AUTHORITY\SYSTEM.

CVE-2023-4003 oneidentity vulnerability CVSS: 0 27 Sep 2023, 15:19 UTC

One Identity Password Manager version 5.9.7.1 - An unauthenticated attacker with physical access to a workstation may upgrade privileges to SYSTEM through an unspecified method. CWE-250: Execution with Unnecessary Privileges.

CVE-2022-38725 oneidentity vulnerability CVSS: 0 23 Jan 2023, 16:15 UTC

An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0 through 3.37 allows remote attackers to cause a Denial of Service via crafted syslog input that is mishandled by the tcp or network function. syslog-ng Premium Edition 7.0.30 and syslog-ng Store Box 6.10.0 are also affected.

CVE-2020-7962 oneidentity vulnerability CVSS: 5.0 13 Nov 2020, 19:15 UTC

An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password. The enumeration is possible because, within the HTTP response content, WRONG ID is only returned when the answer is incorrect.

CVE-2020-8019 oneidentity vulnerability CVSS: 7.2 29 Jun 2020, 12:15 UTC

A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of syslog-ng of SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Module for Legacy Software 12, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server for SAP 12-SP1; openSUSE Backports SLE-15-SP1, openSUSE Leap 15.1 allowed local attackers controlling the user news to escalate their privileges to root. This issue affects: SUSE Linux Enterprise Debuginfo 11-SP3 syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Debuginfo 11-SP4 syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Module for Legacy Software 12 syslog-ng versions prior to 3.6.4-12.8.1. SUSE Linux Enterprise Point of Sale 11-SP3 syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Server 11-SP4-LTSS syslog-ng versions prior to 2.0.9-27.34.40.5.1. SUSE Linux Enterprise Server for SAP 12-SP1 syslog-ng versions prior to 3.6.4-12.8.1. openSUSE Backports SLE-15-SP1 syslog-ng versions prior to 3.19.1-bp151.4.6.1. openSUSE Leap 15.1 syslog-ng versions prior to 3.19.1-lp151.3.6.1.

CVE-2019-13497 oneidentity vulnerability CVSS: 4.3 04 Nov 2019, 18:15 UTC

One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.

CVE-2019-13496 oneidentity vulnerability CVSS: 4.3 04 Nov 2019, 17:15 UTC

One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response.

CVE-2019-13498 oneidentity vulnerability CVSS: 5.8 29 Jul 2019, 17:15 UTC

One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.

CVE-2011-1951 oneidentity vulnerability CVSS: 4.3 11 Jul 2011, 20:55 UTC

lib/logmatcher.c in Balabit syslog-ng before 3.2.4, when the global flag is set and when using PCRE 8.12 and possibly other versions, allows remote attackers to cause a denial of service (memory consumption) via a message that does not match a regular expression.

CVE-2011-0343 oneidentity vulnerability CVSS: 6.9 28 Jan 2011, 16:00 UTC

Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files.

CVE-2008-5110 oneidentity vulnerability CVSS: 9.3 17 Nov 2008, 22:21 UTC

syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9.

CVE-2002-1200 oneidentity vulnerability CVSS: 7.5 28 Oct 2002, 05:00 UTC

Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when using template filenames or output, does not properly track the size of a buffer when constant characters are encountered during macro expansion, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.