PingID Integration for Windows Login MFA Bypass
CVE-2022-23724

6.4MEDIUM

Key Information:

Vendor: Ping Identity
Status: Pingid Integration For Windows Login
Vendor: CVE Published:; 4 May 2022

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2022-23724?

Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.

Affected Version(s)

PingID Integration for Windows Login <= 2.4.1

References

https://www.pingidentity.com/en/resources/downloads/pingi...

x_refsource_MISC

https://docs.pingidentity.com/bundle/pingid/page/xqz15971...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2022
Vulnerability Reserved
Jan 19, 2022

Credit

Ping Identity credits Julian Scionti for the discovery and responsible disclosure of this vulnerability.

JSON