Search criteria
6 vulnerabilities found for pingid_integration_kit by pingidentity
FKIE_CVE-2022-40722
Vulnerability from fkie_nvd - Published: 2023-04-25 19:15 - Updated: 2024-11-21 07:21
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Summary
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingfederate | * | |
| pingidentity | pingfederate | * | |
| pingidentity | pingid_adapter_for_pingfederate | * | |
| pingidentity | pingid_integration_kit | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F085AB7-29E3-4CC6-88C6-49EF87B1E7E9",
"versionEndIncluding": "11.1.5",
"versionStartIncluding": "11.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F76BB82-2AE0-4330-84E7-BBFFABF030C0",
"versionEndIncluding": "11.2.2",
"versionStartIncluding": "11.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:pingid_adapter_for_pingfederate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9285EE82-E2F6-4C82-8F0E-2149B8652E71",
"versionEndExcluding": "2.13.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_kit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0D3BE72-98EE-4FE4-BF80-CDD66F495AC1",
"versionEndExcluding": "2.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA."
}
],
"id": "CVE-2022-40722",
"lastModified": "2024-11-21T07:21:56.117",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:10.240",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-780"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-40723
Vulnerability from fkie_nvd - Published: 2023-04-25 19:15 - Updated: 2024-11-21 07:21
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pingidentity | pingfederate | * | |
| pingidentity | pingfederate | * | |
| pingidentity | pingid_integration_kit | * | |
| pingidentity | radius_pcv | * | |
| pingidentity | radius_pcv | 2.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F085AB7-29E3-4CC6-88C6-49EF87B1E7E9",
"versionEndIncluding": "11.1.5",
"versionStartIncluding": "11.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F76BB82-2AE0-4330-84E7-BBFFABF030C0",
"versionEndIncluding": "11.2.2",
"versionStartIncluding": "11.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:pingid_integration_kit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A0D3BE72-98EE-4FE4-BF80-CDD66F495AC1",
"versionEndExcluding": "2.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:radius_pcv:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A97675A-6B44-4AB9-AC7A-D67153A0273C",
"versionEndExcluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pingidentity:radius_pcv:2.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "73EC03B9-23AE-4E5C-A7AD-44D10E3997FA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations."
}
],
"id": "CVE-2022-40723",
"lastModified": "2024-11-21T07:21:56.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T19:15:10.310",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Release Notes"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-305"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-40723 (GCVE-0-2022-40723)
Vulnerability from cvelistv5 – Published: 2023-04-25 00:00 – Updated: 2025-02-04 14:48
VLAI?
Title
Configuration-based MFA Bypass in PingID RADIUS PCV.
Summary
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
Severity ?
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ping Identity | PingID Radius PCV |
Affected:
2.10.0
Affected: 3.0.0 , < 3.0.0* (custom) Affected: 3.0.2 , ≤ 3.0.2 (custom) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:48:50.451839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T14:48:54.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PingID Radius PCV",
"vendor": "Ping Identity",
"versions": [
{
"status": "affected",
"version": "2.10.0"
},
{
"lessThan": "3.0.0*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.2",
"status": "affected",
"version": "3.0.2",
"versionType": "custom"
}
]
},
{
"product": "PingID Integration Kit (includes Radius PCV)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.24",
"status": "affected",
"version": "2.24",
"versionType": "custom"
}
]
},
{
"product": "PingFederate (includes Radius PCV)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "11.1.0*",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "11.1.5",
"versionType": "custom"
},
{
"lessThan": "11.2.0*",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.2.2",
"status": "affected",
"version": "11.2.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:H/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T00:00:00.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn"
}
],
"source": {
"advisory": "SECADV035",
"defect": [
"PIM-3774"
],
"discovery": "INTERNAL"
},
"title": "Configuration-based MFA Bypass in PingID RADIUS PCV."
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-40723",
"datePublished": "2023-04-25T00:00:00.000Z",
"dateReserved": "2022-09-14T00:00:00.000Z",
"dateUpdated": "2025-02-04T14:48:54.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40722 (GCVE-0-2022-40722)
Vulnerability from cvelistv5 – Published: 2023-04-25 00:00 – Updated: 2025-02-04 14:49
VLAI?
Title
Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate.
Summary
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
Severity ?
7.7 (High)
CWE
- CWE-780 - Use of RSA Algorithm without OAEP
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ping Identity | PingID Adapter for PingFederate |
Affected:
2.13.2 , < 2.13.2
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:49:10.680225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T14:49:20.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PingID Adapter for PingFederate",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.13.2",
"status": "affected",
"version": "2.13.2",
"versionType": "custom"
}
]
},
{
"product": "PingID Integration Kit (includes PingID Adapter)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.24",
"status": "affected",
"version": "2.24",
"versionType": "custom"
}
]
},
{
"product": "PingFederate (includes PingID Adapter)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "11.1.0*",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "11.1.5",
"versionType": "custom"
},
{
"lessThan": "11.2.0*",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.2.2",
"status": "affected",
"version": "11.2.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-780",
"description": "CWE-780 Use of RSA Algorithm without OAEP",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T00:00:00.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn"
},
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa"
}
],
"source": {
"advisory": "SECADV035",
"defect": [
"PIM-2677"
],
"discovery": "INTERNAL"
},
"title": "Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate."
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-40722",
"datePublished": "2023-04-25T00:00:00.000Z",
"dateReserved": "2022-09-14T00:00:00.000Z",
"dateUpdated": "2025-02-04T14:49:20.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40723 (GCVE-0-2022-40723)
Vulnerability from nvd – Published: 2023-04-25 00:00 – Updated: 2025-02-04 14:48
VLAI?
Title
Configuration-based MFA Bypass in PingID RADIUS PCV.
Summary
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
Severity ?
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ping Identity | PingID Radius PCV |
Affected:
2.10.0
Affected: 3.0.0 , < 3.0.0* (custom) Affected: 3.0.2 , ≤ 3.0.2 (custom) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.787Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:48:50.451839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T14:48:54.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PingID Radius PCV",
"vendor": "Ping Identity",
"versions": [
{
"status": "affected",
"version": "2.10.0"
},
{
"lessThan": "3.0.0*",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.2",
"status": "affected",
"version": "3.0.2",
"versionType": "custom"
}
]
},
{
"product": "PingID Integration Kit (includes Radius PCV)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.24",
"status": "affected",
"version": "2.24",
"versionType": "custom"
}
]
},
{
"product": "PingFederate (includes Radius PCV)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "11.1.0*",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "11.1.5",
"versionType": "custom"
},
{
"lessThan": "11.2.0*",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.2.2",
"status": "affected",
"version": "11.2.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"remediationLevel": "UNAVAILABLE",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:H/RL:U/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T00:00:00.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_19_rn"
}
],
"source": {
"advisory": "SECADV035",
"defect": [
"PIM-3774"
],
"discovery": "INTERNAL"
},
"title": "Configuration-based MFA Bypass in PingID RADIUS PCV."
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-40723",
"datePublished": "2023-04-25T00:00:00.000Z",
"dateReserved": "2022-09-14T00:00:00.000Z",
"dateUpdated": "2025-02-04T14:48:54.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40722 (GCVE-0-2022-40722)
Vulnerability from nvd – Published: 2023-04-25 00:00 – Updated: 2025-02-04 14:49
VLAI?
Title
Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate.
Summary
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
Severity ?
7.7 (High)
CWE
- CWE-780 - Use of RSA Algorithm without OAEP
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ping Identity | PingID Adapter for PingFederate |
Affected:
2.13.2 , < 2.13.2
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:21:46.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:49:10.680225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T14:49:20.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PingID Adapter for PingFederate",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.13.2",
"status": "affected",
"version": "2.13.2",
"versionType": "custom"
}
]
},
{
"product": "PingID Integration Kit (includes PingID Adapter)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "2.24",
"status": "affected",
"version": "2.24",
"versionType": "custom"
}
]
},
{
"product": "PingFederate (includes PingID Adapter)",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "11.1.0*",
"status": "affected",
"version": "11.1.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "11.1.5",
"versionType": "custom"
},
{
"lessThan": "11.2.0*",
"status": "affected",
"version": "11.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.2.2",
"status": "affected",
"version": "11.2.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"value": "A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-780",
"description": "CWE-780 Use of RSA Algorithm without OAEP",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T00:00:00.000Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn"
},
{
"url": "https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa"
}
],
"source": {
"advisory": "SECADV035",
"defect": [
"PIM-2677"
],
"discovery": "INTERNAL"
},
"title": "Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate."
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2022-40722",
"datePublished": "2023-04-25T00:00:00.000Z",
"dateReserved": "2022-09-14T00:00:00.000Z",
"dateUpdated": "2025-02-04T14:49:20.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}