CVE-2023-40356
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the target’s existing registered devices. A threat actor might be able to exploit this vulnerability to register their own MFA device with a target user’s account if they have existing knowledge of the target user’s first factor credential.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ping Identity | PingOne MFA Integration Kit for PingFederate | 0 < 2.3.1 | affected |
Weaknesses
- CWE-290: CWE-290 Authentication Bypass by Spoofing
Workarounds
Disable the Prompt Users to Set Up MFA option in your PingOne MFA adapter configuration.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.