CVE-2022-40722
7.7
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ping Identity | PingID Adapter for PingFederate | 2.13.2 < 2.13.2 | affected |
| Ping Identity | PingID Integration Kit (includes PingID Adapter) | 2.24 < 2.24 | affected |
| Ping Identity | PingFederate (includes PingID Adapter) | 11.1.0 < 11.1.0* | affected |
| Ping Identity | PingFederate (includes PingID Adapter) | 11.1.5 <= 11.1.5 | affected |
| Ping Identity | PingFederate (includes PingID Adapter) | 11.2.0 < 11.2.0* | affected |
| Ping Identity | PingFederate (includes PingID Adapter) | 11.2.2 <= 11.2.2 | affected |
Weaknesses
- CWE-780: CWE-780 Use of RSA Algorithm without OAEP
ADP Enrichment
CVE Program Container
Additional References
- https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn
- https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn
- https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.