Lucene search

Ping IdentityCVE-2023-36496

HistoryFeb 01, 2024 - 11:15 p.m.

CVE-2023-36496

2024-02-0123:15:09

CWE-269

Ping Identity

web.nvd.nist.gov

delegated admin

privilege

virtual attribute

directory server

cve-2023-36496

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

22.8%

JSON

Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server.

Affected configurations

Nvd

Node

pingidentitypingdirectoryRange8.3.0.0–8.3.0.8

pingidentitypingdirectoryRange9.0.0.0–9.0.0.5

pingidentitypingdirectoryRange9.1.0.0–9.1.0.2

pingidentitypingdirectoryMatch9.2.0.0

pingidentitypingdirectoryMatch9.2.0.1

pingidentitypingdirectoryMatch9.3.0.0

pingidentitypingdirectoryMatch9.3.0.1

VendorProductVersionCPE
pingidentitypingdirectory*cpe:2.3:a:pingidentity:pingdirectory:*:*:*:*:*:*:*:*
pingidentitypingdirectory9.2.0.0cpe:2.3:a:pingidentity:pingdirectory:9.2.0.0:*:*:*:*:*:*:*
pingidentitypingdirectory9.2.0.1cpe:2.3:a:pingidentity:pingdirectory:9.2.0.1:*:*:*:*:*:*:*
pingidentitypingdirectory9.3.0.0cpe:2.3:a:pingidentity:pingdirectory:9.3.0.0:*:*:*:*:*:*:*
pingidentitypingdirectory9.3.0.1cpe:2.3:a:pingidentity:pingdirectory:9.3.0.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pingidentity	pingdirectory	*	cpe:2.3:a:pingidentity:pingdirectory::::::::
pingidentity	pingdirectory	9.2.0.0	cpe:2.3:a:pingidentity:pingdirectory:9.2.0.0:::::::*
pingidentity	pingdirectory	9.2.0.1	cpe:2.3:a:pingidentity:pingdirectory:9.2.0.1:::::::*
pingidentity	pingdirectory	9.3.0.0	cpe:2.3:a:pingidentity:pingdirectory:9.3.0.0:::::::*
pingidentity	pingdirectory	9.3.0.1	cpe:2.3:a:pingidentity:pingdirectory:9.3.0.1:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PingDirectory",
    "vendor": "Ping Identity",
    "versions": [
      {
        "lessThanOrEqual": "8.3.0.8",
        "status": "affected",
        "version": "8.3",
        "versionType": "8.3.0.9"
      },
      {
        "lessThanOrEqual": "9.0.0.5",
        "status": "affected",
        "version": "9.0",
        "versionType": "9.0.0.6"
      },
      {
        "lessThanOrEqual": "9.1.0.2",
        "status": "affected",
        "version": "9.1",
        "versionType": "9.1.0.3"
      },
      {
        "lessThanOrEqual": "9.2.0.1",
        "status": "affected",
        "version": "9.2",
        "versionType": "9.2.0.2"
      },
      {
        "lessThan": "9.3.0.1",
        "status": "affected",
        "version": "9.3",
        "versionType": "9.3.0.1"
      }
    ]
  }
]

References

docs.pingidentity.com/r/en-us/pingdirectory-93/ynf1693338390284

support.pingidentity.com/s/article/SECADV039

www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

22.8%

JSON

Related for CVE-2023-36496