Lucene search

[email protected]CVE-2022-40722

HistoryApr 25, 2023 - 7:15 p.m.

CVE-2022-40722

2023-04-2519:15:10

CWE-327

CWE-780

[email protected]

web.nvd.nist.gov

cve-2022-40722

pingid

pingfederate

rsa

padding

misconfiguration

dictionary attacks

offline mfa

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

5.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.5%

JSON

A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.

Affected configurations

NVD

Node

pingidentitypingfederateRange11.1.0–11.1.5

pingidentitypingfederateRange11.2.0–11.2.2

pingidentitypingid_adapter_for_pingfederateRange<2.13.2

pingidentitypingid_integration_kitRange<2.24

CPENameOperatorVersion
pingidentity:pingfederatepingidentity pingfederatele11.1.5
pingidentity:pingfederatepingidentity pingfederatele11.2.2
pingidentity:pingid_adapter_for_pingfederatepingidentity pingid adapter for pingfederatelt2.13.2
pingidentity:pingid_integration_kitpingidentity pingid integration kitlt2.24

CPE	Name	Operator	Version
pingidentity:pingfederate	pingidentity pingfederate	le	11.1.5
pingidentity:pingfederate	pingidentity pingfederate	le	11.2.2
pingidentity:pingid_adapter_for_pingfederate	pingidentity pingid adapter for pingfederate	lt	2.13.2
pingidentity:pingid_integration_kit	pingidentity pingid integration kit	lt	2.24

CNA Affected

[
  {
    "vendor": "Ping Identity",
    "product": "PingID Adapter for PingFederate",
    "versions": [
      {
        "version": "2.13.2",
        "status": "affected",
        "lessThan": "2.13.2",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Ping Identity",
    "product": "PingID Integration Kit (includes PingID Adapter)",
    "versions": [
      {
        "version": "2.24",
        "status": "affected",
        "lessThan": "2.24",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Ping Identity",
    "product": "PingFederate (includes PingID Adapter)",
    "versions": [
      {
        "version": "11.1.0",
        "status": "affected",
        "lessThan": "11.1.0*",
        "versionType": "custom"
      },
      {
        "version": "11.1.5",
        "status": "affected",
        "lessThanOrEqual": "11.1.5",
        "versionType": "custom"
      },
      {
        "version": "11.2.0",
        "status": "affected",
        "lessThan": "11.2.0*",
        "versionType": "custom"
      },
      {
        "version": "11.2.2",
        "status": "affected",
        "lessThanOrEqual": "11.2.2",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa

docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

5.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.5%

JSON

Related for CVE-2022-40722

prion1 cvelist1 nvd1