Lucene search

Ping IdentityCVELIST:CVE-2021-41994

HistoryApr 30, 2022 - 9:15 p.m.

CVE-2021-41994 PingID iOS mobile application prior to 1.19 vulnerable to pre-computed dictionary attacks

2022-04-3021:15:22

CWE-310

Ping Identity

www.cve.org

pingid

ios

rsa

misconfiguration

vulnerability

dictionary attacks

mfa bypass

windows login

CVSS3

6.6

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

12.6%

JSON

A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.

CNA Affected

[
  {
    "platforms": [
      "iOS"
    ],
    "product": "PingID Mobile Application",
    "vendor": "Ping Identity",
    "versions": [
      {
        "lessThan": "1.19",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.pingidentity.com/bundle/pingid/page/ejd1642076304199.html

www.pingidentity.com/en/resources/downloads/pingid.html

CVSS3

6.6

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

12.6%

JSON

Related for CVELIST:CVE-2021-41994