CVE-2023-40702
7.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability to authenticate as a target user if they have existing knowledge of the target user’s first-factor credentials.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ping Identity | PingOne MFA Integration Kit for PingFederate | 0 < 2.3.1 | affected |
Weaknesses
- CWE-290: CWE-290 Authentication Bypass by Spoofing
Workarounds
Disable the Allow Users to Skip MFA Setup in your PingOne MFA adapter configuration.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.