Lucene search

Ping IdentityCVELIST:CVE-2022-23724

HistoryMay 04, 2022 - 4:30 p.m.

CVE-2022-23724 PingID Integration for Windows Login MFA Bypass

2022-05-0416:30:11

CWE-288

CWE-310

Ping Identity

www.cve.org

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.3%

JSON

Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.

CNA Affected

[
  {
    "product": "PingID Integration for Windows Login",
    "vendor": "Ping Identity",
    "versions": [
      {
        "lessThanOrEqual": "2.4.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html

www.pingidentity.com/en/resources/downloads/pingid.html

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.3%

JSON

Related for CVELIST:CVE-2022-23724