6.5
CVE-2021-42000
- EPSS 0.53%
- Veröffentlicht 10.02.2022 23:15:07
- Zuletzt bearbeitet 21.11.2024 06:27:02
- Quelle responsible-disclosure@pingide
- CVE-Watchlists
- Unerledigt
LoginPing Identity PingFederate Password Reset and Password Change Mishandling with an authentication policy in parallel reset flows
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pingidentity ≫ Pingfederate Version <= 9.3.0
Pingidentity ≫ Pingfederate Version >= 10.0.0 <= 10.0.11
Pingidentity ≫ Pingfederate Version >= 10.1.0 <= 10.1.8
Pingidentity ≫ Pingfederate Version >= 10.2.0 <= 10.2.6
Pingidentity ≫ Pingfederate Version >= 10.3.0 <= 10.3.2
Pingidentity ≫ Pingfederate Version9.3.3 Update-
Pingidentity ≫ Pingfederate Version9.3.3 Updatep15
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.53% | 0.403 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
| responsible-disclosure@pingidentity.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
https://www.pingidentity.com/en/resources/downloads/pingfederate.html
https://docs.pingidentity.com/bundle/pingfederate-103/page/hhm1634833631515.html