Ping IdentityVULNRICHMENT:CVE-2023-39231CVE-2023-39231 PingFederate PingOne MFA IK Device Pairing Second Factor Authentication Bypass
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
18.6%
SSVC
Exploitation
none
Automatable
no
Technical Impact
total
PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user’s first factor credentials.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:*:*:*:*:*:*:*:*"
],
"vendor": "pingidentity",
"product": "pingone_mfa_integration_kit",
"versions": [
{
"status": "affected",
"version": "2.2",
"lessThan": "2.2.1",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
18.6%
SSVC
Exploitation
none
Automatable
no
Technical Impact
total