CVE-2021-42000

EPSS 0.12%
Veröffentlicht 10.02.2022 23:15:07
Zuletzt bearbeitet 21.11.2024 06:27:02
Quelle responsible-disclosure@pingide
CVE-Watchlists
Login
Unerledigt
Login

When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pingidentity ≫ Pingfederate Version <= 9.3.0

Pingidentity ≫ Pingfederate Version >= 10.0.0 <= 10.0.11

Pingidentity ≫ Pingfederate Version >= 10.1.0 <= 10.1.8

Pingidentity ≫ Pingfederate Version >= 10.2.0 <= 10.2.6

Pingidentity ≫ Pingfederate Version >= 10.3.0 <= 10.3.2

Pingidentity ≫ Pingfederate Version9.3.3 Update-

Pingidentity ≫ Pingfederate Version9.3.3 Updatep15

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.313

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
responsible-disclosure@pingidentity.com	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://www.pingidentity.com/en/resources/downloads/pingfederate.html

Vendor Advisory

https://docs.pingidentity.com/bundle/pingfederate-103/page/hhm1634833631515.html

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2021-42000

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-42000

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-42000

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-42000