Search criteria
27 vulnerabilities found for pingid_integration_for_windows_login by pingidentity
FKIE_CVE-2022-23721
Vulnerability from fkie_nvd - Published: 2023-04-25 19:15 - Updated: 2024-11-21 06:49
Severity ?
3.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D1089203-0C94-4337-9108-DDACBB1CE79B",
"versionEndExcluding": "2.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times."
}
],
"id": "CVE-2022-23721",
"lastModified": "2024-11-21T06:49:10.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 1.4,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:10.087",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-694"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23718
Vulnerability from fkie_nvd - Published: 2022-06-30 20:15 - Updated: 2024-11-21 06:49
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application.
References
| URL | Tags | ||
|---|---|---|---|
| responsible-disclosure@pingidentity.com | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| responsible-disclosure@pingidentity.com | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D631B535-D41D-4179-8E1B-CCAC61DC5236",
"versionEndExcluding": "2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application."
},
{
"lang": "es",
"value": "PingID Windows Login versiones anteriores a 2.8, usa componentes vulnerables conocidos que pueden conllevar a una ejecuci\u00f3n de c\u00f3digo remota. Un atacante capaz de lograr una posici\u00f3n sofisticada de tipo man-in-the-middle, o de comprometer los servidores web de Ping Identity, podr\u00eda entregar c\u00f3digo malicioso que ser\u00eda ejecutado como SYSTEM por la aplicaci\u00f3n PingID Windows Login"
}
],
"id": "CVE-2022-23718",
"lastModified": "2024-11-21T06:49:10.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-30T20:15:08.253",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1352"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23719
Vulnerability from fkie_nvd - Published: 2022-06-30 20:15 - Updated: 2024-11-21 06:49
Severity ?
7.2 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
6.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
References
| URL | Tags | ||
|---|---|---|---|
| responsible-disclosure@pingidentity.com | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| responsible-disclosure@pingidentity.com | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D631B535-D41D-4179-8E1B-CCAC61DC5236",
"versionEndExcluding": "2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication."
},
{
"lang": "es",
"value": "PingID Windows Login versiones anteriores a 2.8, no autentica la comunicaci\u00f3n con un servicio local de Java usado para capturar peticiones de claves de seguridad. Un atacante con la capacidad de ejecutar c\u00f3digo en la m\u00e1quina objetivo puede ser capaz de explotar y falsificar el servicio local de Java usando m\u00faltiples vectores de ataque. Un ataque con \u00e9xito puede conllevar a una ejecuci\u00f3n de c\u00f3digo como SYSTEM por parte de la aplicaci\u00f3n PingID Windows Login, o incluso una denegaci\u00f3n de servicio para la autenticaci\u00f3n de la clave de seguridad fuera de l\u00ednea"
}
],
"id": "CVE-2022-23719",
"lastModified": "2024-11-21T06:49:10.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 6.0,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-30T20:15:08.310",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
},
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23717
Vulnerability from fkie_nvd - Published: 2022-06-30 20:15 - Updated: 2024-11-21 06:49
Severity ?
5.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication.
References
| URL | Tags | ||
|---|---|---|---|
| responsible-disclosure@pingidentity.com | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| responsible-disclosure@pingidentity.com | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D631B535-D41D-4179-8E1B-CCAC61DC5236",
"versionEndExcluding": "2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication."
},
{
"lang": "es",
"value": "PingID Windows Login versiones anteriores a 2.8, es vulnerable a una condici\u00f3n de denegaci\u00f3n de servicio en m\u00e1quinas locales cuando es combinado con el uso de claves de seguridad sin conexi\u00f3n como parte de la autenticaci\u00f3n"
}
],
"id": "CVE-2022-23717",
"lastModified": "2024-11-21T06:49:10.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 4.0,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-30T20:15:08.197",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-404"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23725
Vulnerability from fkie_nvd - Published: 2022-06-30 20:15 - Updated: 2024-11-21 06:49
Severity ?
7.7 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D631B535-D41D-4179-8E1B-CCAC61DC5236",
"versionEndExcluding": "2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances."
},
{
"lang": "es",
"value": "PingID Windows Login versiones anteriores a 2.8, no establece correctamente los permisos en las entradas del Registro de Windows usadas para almacenar claves confidenciales de la API en algunas circunstancias"
}
],
"id": "CVE-2022-23725",
"lastModified": "2024-11-21T06:49:11.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-30T20:15:08.430",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
},
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23720
Vulnerability from fkie_nvd - Published: 2022-06-30 20:15 - Updated: 2024-11-21 06:49
Severity ?
7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints.
References
| URL | Tags | ||
|---|---|---|---|
| responsible-disclosure@pingidentity.com | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| responsible-disclosure@pingidentity.com | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pingidentity.com/en/resources/downloads/pingid.html | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D631B535-D41D-4179-8E1B-CCAC61DC5236",
"versionEndExcluding": "2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints."
},
{
"lang": "es",
"value": "PingID Windows Login versiones anteriores a 2.8, no alerta o detiene la operaci\u00f3n si ha sido provisto con el archivo de propiedades de PingID con todos los permisos. Un administrador de TI podr\u00eda desplegar por error credenciales de API PingID con privilegios de administrador, como los usados t\u00edpicamente por PingFederate, en los endpoints de usuario de PingID Windows Login. El uso de un archivo de propiedades de permisos completos confidenciales fuera de un l\u00edmite confiable privilegiado conlleva a un mayor riesgo de exposici\u00f3n o detecci\u00f3n, y un atacante podr\u00eda aprovechar estas credenciales para llevar a cabo acciones administrativas contra las APIs de PingID o los endpoints"
}
],
"id": "CVE-2022-23720",
"lastModified": "2024-11-21T06:49:10.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 6.0,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-30T20:15:08.377",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
},
{
"lang": "en",
"value": "CWE-648"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23724
Vulnerability from fkie_nvd - Published: 2022-05-04 17:15 - Updated: 2024-11-21 06:49
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC6E6993-6740-47E7-B5E6-342E2AC8240D",
"versionEndExcluding": "2.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials."
},
{
"lang": "es",
"value": "Un uso de material de clave de encriptaci\u00f3n est\u00e1tica permite falsificar un token de autenticaci\u00f3n a otros usuarios dentro de una organizaci\u00f3n inquilina. MFA puede ser evitado redirigiendo un flujo de autenticaci\u00f3n a un usuario objetivo. Para explotar la vulnerabilidad, deben tenerse credenciales de usuario comprometidas"
}
],
"id": "CVE-2022-23724",
"lastModified": "2024-11-21T06:49:11.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-04T17:15:08.970",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
},
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-41992
Vulnerability from fkie_nvd - Published: 2022-04-30 22:15 - Updated: 2024-11-21 06:27
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
5.6 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
5.6 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52ABCE09-9556-4B5E-8598-9F5CB6159A64",
"versionEndExcluding": "2.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass."
},
{
"lang": "es",
"value": "Una configuraci\u00f3n err\u00f3nea de RSA en PingID Windows Login versiones anteriores a 2.7, es vulnerable a ataques de diccionario precalculado, conllevando a una omisi\u00f3n de MFA sin conexi\u00f3n"
}
],
"id": "CVE-2021-41992",
"lastModified": "2024-11-21T06:27:02.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-30T22:15:08.083",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
},
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-25826
Vulnerability from fkie_nvd - Published: 2020-09-23 05:15 - Updated: 2024-11-21 05:18
Severity ?
Summary
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://gitlab.com/-/snippets/2017709 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitlab.com/-/snippets/2017709 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingid_integration_for_windows_login | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_for_windows_login:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BC6E6993-6740-47E7-B5E6-342E2AC8240D",
"versionEndExcluding": "2.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe."
},
{
"lang": "es",
"value": "PingID Integration para Windows Login versiones anteriores a 2.4.2, permite a usuarios locales alcanzar privilegios al modificar el archivo CefSharp.BrowserSubprocess.exe"
}
],
"id": "CVE-2020-25826",
"lastModified": "2024-11-21T05:18:50.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-23T05:15:12.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gitlab.com/-/snippets/2017709"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-23721 (GCVE-0-2022-23721)
Vulnerability from cvelistv5 – Published: 2023-04-25 00:00 – Updated: 2025-02-04 14:49
VLAI?
Title
PingID integration for Windows login duplicate username collision.
Summary
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times.
Severity ?
CWE
- CWE-694 - Use of Multiple Resources with Duplicate Identifier
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | unspecified |
Affected:
2.9 , < 2.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:49:35.874858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T14:49:49.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "unspecified",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.9",
"status": "affected",
"version": "2.9",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-694",
"description": "CWE-694 Use of Multiple Resources with Duplicate Identifier",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T00:00:00.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9"
}
],
"source": {
"advisory": "SECADV034",
"defect": [
"PIM-3485"
],
"discovery": "INTERNAL"
},
"title": "PingID integration for Windows login duplicate username collision."
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23721",
"datePublished": "2023-04-25T00:00:00.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-02-04T14:49:49.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23725 (GCVE-0-2022-23725)
Vulnerability from cvelistv5 – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances
Summary
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.
Severity ?
7.7 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:46",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23725",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23725",
"datePublished": "2022-06-30T19:25:46",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23720 (GCVE-0-2022-23720)
Vulnerability from cvelistv5 – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file
Summary
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648 Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:41",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23720",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-648 Incorrect Use of Privileged APIs"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23720",
"datePublished": "2022-06-30T19:25:41",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23719 (GCVE-0-2022-23719)
Vulnerability from cvelistv5 – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests
Summary
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:35",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23719",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23719",
"datePublished": "2022-06-30T19:25:35",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23718 (GCVE-0-2022-23718)
Vulnerability from cvelistv5 – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution
Summary
PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application.
Severity ?
7.6 (High)
CWE
- CWE-1352 - OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1352",
"description": "CWE-1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:30",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23718",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23718",
"datePublished": "2022-06-30T19:25:30",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23717 (GCVE-0-2022-23717)
Vulnerability from cvelistv5 – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 denial of service condition
Summary
PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication.
Severity ?
5 (Medium)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:27",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 denial of service condition",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23717",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 denial of service condition"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-404 Improper Resource Shutdown or Release"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23717",
"datePublished": "2022-06-30T19:25:27",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23724 (GCVE-0-2022-23724)
Vulnerability from cvelistv5 – Published: 2022-05-04 16:30 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Integration for Windows Login MFA Bypass
Summary
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.
Severity ?
6.4 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Integration for Windows Login |
Affected:
unspecified , ≤ 2.4.1
(custom)
|
Credits
Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PingID Integration for Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-04T16:30:11",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"source": {
"defect": [
"PID-9404",
"PID-9447"
],
"discovery": "EXTERNAL"
},
"title": " PingID Integration for Windows Login MFA Bypass",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23724",
"STATE": "PUBLIC",
"TITLE": " PingID Integration for Windows Login MFA Bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Integration for Windows Login",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.1"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html",
"refsource": "CONFIRM",
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
]
},
"source": {
"defect": [
"PID-9404",
"PID-9447"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23724",
"datePublished": "2022-05-04T16:30:11",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41992 (GCVE-0-2021-41992)
Vulnerability from cvelistv5 – Published: 2022-04-30 21:15 – Updated: 2024-08-04 03:22
VLAI?
Title
PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass
Summary
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.
Severity ?
7.7 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.7
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-30T21:15:19",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
}
],
"source": {
"advisory": "SECADV030",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2021-41992",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.7"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
}
]
},
"source": {
"advisory": "SECADV030",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2021-41992",
"datePublished": "2022-04-30T21:15:19",
"dateReserved": "2021-10-04T00:00:00",
"dateUpdated": "2024-08-04T03:22:25.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25826 (GCVE-0-2020-25826)
Vulnerability from cvelistv5 – Published: 2020-09-23 04:45 – Updated: 2024-08-04 15:40
VLAI?
Summary
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:40:36.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-23T04:45:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/-/snippets/2017709",
"refsource": "MISC",
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25826",
"datePublished": "2020-09-23T04:45:13",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:40:36.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23721 (GCVE-0-2022-23721)
Vulnerability from nvd – Published: 2023-04-25 00:00 – Updated: 2025-02-04 14:49
VLAI?
Title
PingID integration for Windows login duplicate username collision.
Summary
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times.
Severity ?
CWE
- CWE-694 - Use of Multiple Resources with Duplicate Identifier
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | unspecified |
Affected:
2.9 , < 2.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:49:35.874858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T14:49:49.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "unspecified",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.9",
"status": "affected",
"version": "2.9",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-694",
"description": "CWE-694 Use of Multiple Resources with Duplicate Identifier",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T00:00:00.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9"
}
],
"source": {
"advisory": "SECADV034",
"defect": [
"PIM-3485"
],
"discovery": "INTERNAL"
},
"title": "PingID integration for Windows login duplicate username collision."
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23721",
"datePublished": "2023-04-25T00:00:00.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-02-04T14:49:49.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23725 (GCVE-0-2022-23725)
Vulnerability from nvd – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances
Summary
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances.
Severity ?
7.7 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:46",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23725",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23725",
"datePublished": "2022-06-30T19:25:46",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23720 (GCVE-0-2022-23720)
Vulnerability from nvd – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file
Summary
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648 Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:41",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23720",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-648 Incorrect Use of Privileged APIs"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23720",
"datePublished": "2022-06-30T19:25:41",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23719 (GCVE-0-2022-23719)
Vulnerability from nvd – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests
Summary
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:35",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23719",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23719",
"datePublished": "2022-06-30T19:25:35",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23718 (GCVE-0-2022-23718)
Vulnerability from nvd – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution
Summary
PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application.
Severity ?
7.6 (High)
CWE
- CWE-1352 - OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1352",
"description": "CWE-1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:30",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23718",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23718",
"datePublished": "2022-06-30T19:25:30",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23717 (GCVE-0-2022-23717)
Vulnerability from nvd – Published: 2022-06-30 19:25 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Windows Login prior to 2.8 denial of service condition
Summary
PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication.
Severity ?
5 (Medium)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.8
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T19:25:27",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
],
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login prior to 2.8 denial of service condition",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23717",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login prior to 2.8 denial of service condition"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.8"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-404 Improper Resource Shutdown or Release"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html"
}
]
},
"source": {
"advisory": "SECADV031",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23717",
"datePublished": "2022-06-30T19:25:27",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23724 (GCVE-0-2022-23724)
Vulnerability from nvd – Published: 2022-05-04 16:30 – Updated: 2024-08-03 03:51
VLAI?
Title
PingID Integration for Windows Login MFA Bypass
Summary
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.
Severity ?
6.4 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Integration for Windows Login |
Affected:
unspecified , ≤ 2.4.1
(custom)
|
Credits
Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PingID Integration for Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-04T16:30:11",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"source": {
"defect": [
"PID-9404",
"PID-9447"
],
"discovery": "EXTERNAL"
},
"title": " PingID Integration for Windows Login MFA Bypass",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2022-23724",
"STATE": "PUBLIC",
"TITLE": " PingID Integration for Windows Login MFA Bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Integration for Windows Login",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.4.1"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html",
"refsource": "CONFIRM",
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
]
},
"source": {
"defect": [
"PID-9404",
"PID-9447"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-23724",
"datePublished": "2022-05-04T16:30:11",
"dateReserved": "2022-01-19T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41992 (GCVE-0-2021-41992)
Vulnerability from nvd – Published: 2022-04-30 21:15 – Updated: 2024-08-04 03:22
VLAI?
Title
PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass
Summary
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.
Severity ?
7.7 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingID Windows Login |
Affected:
unspecified , < 2.7
(custom)
|
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "PingID Windows Login",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-310",
"description": "CWE-310 Cryptographic Issues",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-30T21:15:19",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
}
],
"source": {
"advisory": "SECADV030",
"discovery": "EXTERNAL"
},
"title": "PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "responsible-disclosure@pingidentity.com",
"ID": "CVE-2021-41992",
"STATE": "PUBLIC",
"TITLE": "PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PingID Windows Login",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_value": "2.7"
}
]
}
}
]
},
"vendor_name": "Ping Identity"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-310 Cryptographic Issues"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html",
"refsource": "MISC",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html"
}
]
},
"source": {
"advisory": "SECADV030",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2021-41992",
"datePublished": "2022-04-30T21:15:19",
"dateReserved": "2021-10-04T00:00:00",
"dateUpdated": "2024-08-04T03:22:25.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25826 (GCVE-0-2020-25826)
Vulnerability from nvd – Published: 2020-09-23 04:45 – Updated: 2024-08-04 15:40
VLAI?
Summary
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:40:36.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-23T04:45:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/-/snippets/2017709",
"refsource": "MISC",
"url": "https://gitlab.com/-/snippets/2017709"
},
{
"name": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html",
"refsource": "MISC",
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25826",
"datePublished": "2020-09-23T04:45:13",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:40:36.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}