Lucene search

[email protected]NVD:CVE-2023-39231

HistoryOct 25, 2023 - 6:17 p.m.

CVE-2023-39231

2023-10-2518:17:29

CWE-306

CWE-288

[email protected]

web.nvd.nist.gov

pingfederate

pingone

mfa

unauthorized pairing

security threat

vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

18.6%

JSON

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user’s first factor credentials.

Affected configurations

Nvd

Node

pingidentitypingone_mfa_integration_kitMatch2.2

VendorProductVersionCPE
pingidentitypingone_mfa_integration_kit2.2cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pingidentity	pingone_mfa_integration_kit	2.2	cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:::::::*

References

docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394

www.pingidentity.com/en/resources/downloads/pingid.html

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

18.6%

JSON

Related for NVD:CVE-2023-39231

cve1 cvelist1 prion1 vulnrichment1