Delegated Admin Privilege Vulnerability in Ping Identity Directory Server
CVE-2023-36496

7.7HIGH

Key Information:

Vendor: Ping Identity
Status: Pingdirectory
Vendor: CVE Published:; 1 February 2024

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2023-36496?

The vulnerability affects the Delegated Admin Privilege virtual attribute provider plugin in Ping Identity's Directory Server, which when enabled, permits an authenticated user to escalate their permissions. This unauthorized elevation of privileges could potentially allow a user to gain excessive control over sensitive management functions within the Directory Server, leading to potential security breaches. Organizations using affected versions of the Directory Server should review their configurations and apply necessary patches to mitigate the associated risks.

Affected Version(s)

PingDirectory 8.3 <= 8.3.0.8

PingDirectory 9.0 <= 9.0.0.5

PingDirectory 9.1 <= 9.1.0.2

References

https://support.pingidentity.com/s/article/SECADV039

https://www.pingidentity.com/en/resources/downloads/pingd...

https://docs.pingidentity.com/r/en-us/pingdirectory-93/yn...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 1, 2024