Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate.
CVE-2022-40722

7.7HIGH

Key Information:

Vendor

Ping Identity

Status
Pingid Adapter For Pingfederate
Pingid Integration Kit (includes Pingid Adapter)
Pingfederate (includes Pingid Adapter)
Vendor
CVE Published:
25 April 2023

What is CVE-2022-40722?

A misconfiguration in the RSA padding implemented within the PingID Adapter for PingFederate has been identified, making it vulnerable to pre-computed dictionary attacks. This vulnerability allows attackers to bypass the offline multi-factor authentication (MFA) process, undermining the security of users who rely on the PingID mobile authenticators for access control. Proper configuration is essential to mitigate the risks associated with this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

PingFederate (includes PingID Adapter) 11.1.0 < 11.1.0*

PingFederate (includes PingID Adapter) 11.1.5

PingFederate (includes PingID Adapter) 11.2.0 < 11.2.0*

References

https://docs.pingidentity.com/r/en-us/pingid/pingid_integ...
https://docs.pingidentity.com/r/en-us/pingid/pingid_adapt...

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
JSON
.