Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate.
CVE-2022-40722

7.7HIGH

Key Information:

Vendor: Ping Identity
Status: Pingid Adapter For Pingfederate; Pingid Integration Kit (includes Pingid Adapter); Pingfederate (includes Pingid Adapter)
Vendor: CVE Published:; 25 April 2023

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2022-40722?

A misconfiguration in the RSA padding implemented within the PingID Adapter for PingFederate has been identified, making it vulnerable to pre-computed dictionary attacks. This vulnerability allows attackers to bypass the offline multi-factor authentication (MFA) process, undermining the security of users who rely on the PingID mobile authenticators for access control. Proper configuration is essential to mitigate the risks associated with this vulnerability.

Affected Version(s)

PingFederate (includes PingID Adapter) 11.1.0 < 11.1.0*

PingFederate (includes PingID Adapter) 11.1.5

PingFederate (includes PingID Adapter) 11.2.0 < 11.2.0*

References

https://docs.pingidentity.com/r/en-us/pingid/pingid_integ...

https://docs.pingidentity.com/r/en-us/pingid/pingid_adapt...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2023
Vulnerability Reserved
Sep 14, 2022

Credit

Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.