CVE-2022-40722

EPSS 0.01%
Veröffentlicht 25.04.2023 19:15:10
Zuletzt bearbeitet 21.11.2024 07:21:56
Quelle responsible-disclosure@pingide
CVE-Watchlists
Login
Unerledigt
Login

A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pingidentity ≫ Pingfederate Version >= 11.1.0 <= 11.1.5

Pingidentity ≫ Pingfederate Version >= 11.2.0 <= 11.2.2

Pingidentity ≫ Pingid Adapter For Pingfederate Version < 2.13.2

Pingidentity ≫ Pingid Integration Kit Version < 2.24

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.007

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.8	1.3	4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
responsible-disclosure@pingidentity.com	7.7	1.3	5.8	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

CWE-780 Use of RSA Algorithm without OAEP

The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa

Product

https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2022-40722

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-40722

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-40722

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-40722