CVE-2022-40722

Summary

A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.

Affected Software

VendorProductVersion RangeStatus
Ping IdentityPingID Adapter for PingFederate2.13.2 < 2.13.2affected
Ping IdentityPingID Integration Kit (includes PingID Adapter)2.24 < 2.24affected
Ping IdentityPingFederate (includes PingID Adapter)11.1.0 < 11.1.0*affected
Ping IdentityPingFederate (includes PingID Adapter)11.1.5 <= 11.1.5affected
Ping IdentityPingFederate (includes PingID Adapter)11.2.0 < 11.2.0*affected
Ping IdentityPingFederate (includes PingID Adapter)11.2.2 <= 11.2.2affected

Weaknesses

  • CWE-780: CWE-780 Use of RSA Algorithm without OAEP

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References