Ping Identity PingFederate Password Reset and Password Change Mishandling with an authentication policy in parallel reset flows
CVE-2021-42000

5.3MEDIUM

Key Information:

Vendor: Ping Identity
Status: Pingfederate
Vendor: CVE Published:; 10 February 2022

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2021-42000?

When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.

Affected Version(s)

PingFederate 9.3.3-P15 < 9.3.0*

PingFederate 10.0.11 < 10.0.0*

PingFederate 10.1.8 < 10.1.0*

References

https://www.pingidentity.com/en/resources/downloads/pingf...

x_refsource_MISC

https://docs.pingidentity.com/bundle/pingfederate-103/pag...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2022
Vulnerability Reserved
Oct 4, 2021