Lucene search

Ping IdentityCVE-2022-40722

HistoryApr 25, 2023 - 7:15 p.m.

CVE-2022-40722

2023-04-2519:15:10

CWE-780

CWE-327

Ping Identity

web.nvd.nist.gov

cve-2022-40722

pingid

pingfederate

rsa

padding

misconfiguration

dictionary attacks

offline mfa

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.

Affected configurations

Nvd

Node

pingidentitypingfederateRange11.1.0–11.1.5

pingidentitypingfederateRange11.2.0–11.2.2

pingidentitypingid_adapter_for_pingfederateRange<2.13.2

pingidentitypingid_integration_kitRange<2.24

VendorProductVersionCPE
pingidentitypingfederate*cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*
pingidentitypingid_adapter_for_pingfederate*cpe:2.3:a:pingidentity:pingid_adapter_for_pingfederate:*:*:*:*:*:*:*:*
pingidentitypingid_integration_kit*cpe:2.3:a:pingidentity:pingid_integration_kit:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pingidentity	pingfederate	*	cpe:2.3:a:pingidentity:pingfederate::::::::
pingidentity	pingid_adapter_for_pingfederate	*	cpe:2.3:a:pingidentity:pingid_adapter_for_pingfederate::::::::
pingidentity	pingid_integration_kit	*	cpe:2.3:a:pingidentity:pingid_integration_kit::::::::

CNA Affected

[
  {
    "vendor": "Ping Identity",
    "product": "PingID Adapter for PingFederate",
    "versions": [
      {
        "version": "2.13.2",
        "status": "affected",
        "lessThan": "2.13.2",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Ping Identity",
    "product": "PingID Integration Kit (includes PingID Adapter)",
    "versions": [
      {
        "version": "2.24",
        "status": "affected",
        "lessThan": "2.24",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Ping Identity",
    "product": "PingFederate (includes PingID Adapter)",
    "versions": [
      {
        "version": "11.1.0",
        "status": "affected",
        "lessThan": "11.1.0*",
        "versionType": "custom"
      },
      {
        "version": "11.1.5",
        "status": "affected",
        "lessThanOrEqual": "11.1.5",
        "versionType": "custom"
      },
      {
        "version": "11.2.0",
        "status": "affected",
        "lessThan": "11.2.0*",
        "versionType": "custom"
      },
      {
        "version": "11.2.2",
        "status": "affected",
        "lessThanOrEqual": "11.2.2",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa

docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

Related for CVE-2022-40722