Lucene search

Ping IdentityCVELIST:CVE-2021-41992

HistoryApr 30, 2022 - 9:15 p.m.

CVE-2021-41992 PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass

2022-04-3021:15:19

CWE-310

CWE-288

Ping Identity

www.cve.org

cve-2021-41992

pingid

windows login

rsa

cryptographic weakness

offline mfa bypass

misconfiguration

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

7.7

Confidence

High

EPSS

Percentile

12.6%

JSON

A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.

CNA Affected

[
  {
    "platforms": [
      "Windows"
    ],
    "product": "PingID Windows Login",
    "vendor": "Ping Identity",
    "versions": [
      {
        "lessThan": "2.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html

www.pingidentity.com/en/resources/downloads/pingid.html

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

7.7

Confidence

High

EPSS

Percentile

12.6%

JSON

Related for CVELIST:CVE-2021-41992