Lucene search

Ping IdentityCVELIST:CVE-2023-39231

HistoryOct 24, 2023 - 7:56 p.m.

CVE-2023-39231 PingFederate PingOne MFA IK Device Pairing Second Factor Authentication Bypass

2023-10-2419:56:06

CWE-288

Ping Identity

www.cve.org

pingfederate

pingone mfa

ik device pairing

second factor authentication

bypass

cve-2023-39231

vulnerability

threat actor

exploit

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.0%

JSON

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user’s first factor credentials.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "PingOne MFA Integration Kit",
    "vendor": "Ping Identity",
    "versions": [
      {
        "lessThan": "2.2.1",
        "status": "affected",
        "version": "2.2",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394

www.pingidentity.com/en/resources/downloads/pingid.html

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.0%

JSON

Related for CVELIST:CVE-2023-39231