Lucene search

Ping IdentityCVE-2022-23721

HistoryApr 25, 2023 - 7:15 p.m.

CVE-2022-23721

2023-04-2519:15:10

CWE-74

CWE-694

Ping Identity

web.nvd.nist.gov

cve-2022-23721

pingid

windows login

vulnerability

username collision

CVSS3

3.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

AI Score

4.2

Confidence

High

EPSS

Percentile

9.0%

JSON

PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times.

Affected configurations

Nvd

Node

pingidentitypingid_integration_for_windows_loginRange<2.9

VendorProductVersionCPE
pingidentitypingid_integration_for_windows_login*cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pingidentity	pingid_integration_for_windows_login	*	cpe:2.3:a:pingidentity:pingid_integration_for_windows_login::::::::

CNA Affected

[
  {
    "vendor": "Ping Identity",
    "product": "unspecified",
    "versions": [
      {
        "version": "2.9",
        "status": "affected",
        "lessThan": "2.9",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9

CVSS3

3.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

AI Score

4.2

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2022-23721