CVE-2023-39231

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394	Release Notes
https://www.pingidentity.com/en/resources/downloads/pingid.html	Product
https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394	Release Notes
https://www.pingidentity.com/en/resources/downloads/pingid.html	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:*:*:*:*:*:*:*

History

21 Nov 2024, 08:14

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 7.3
References	~~() https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 - Release Notes~~	() https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 - Release Notes
References	~~() https://www.pingidentity.com/en/resources/downloads/pingid.html - Product~~	() https://www.pingidentity.com/en/resources/downloads/pingid.html - Product

Information

Published : 2023-10-25 18:17

Updated : 2024-11-21 08:14

NVD link : CVE-2023-39231

Mitre link : CVE-2023-39231

CVE.ORG link : CVE-2023-39231

JSON object : View

Products Affected

pingidentity

pingone_mfa_integration_kit

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2023-39231", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-10-25T18:17:29.030", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394", "tags": ["Release Notes"], "source": "responsible-disclosure@pingidentity.com"}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "tags": ["Product"], "source": "responsible-disclosure@pingidentity.com"}, {"url": "https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "description": [{"lang": "en", "value": "CWE-288"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials."}, {"lang": "es", "value": "PingFederate utilizando el adaptador PingOne MFA permite emparejar un nuevo dispositivo MFA sin requerir autenticaci\u00f3n de segundo factor de un dispositivo registrado existente. Un actor de amenazas puede aprovechar esta vulnerabilidad para registrar su propio dispositivo MFA si tiene conocimiento de las credenciales del primer factor del usuario v\u00edctima."}], "lastModified": "2024-11-21T08:14:57.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "086259D3-A4AD-4AB0-BD5D-5BC61667F870"}], "operator": "OR"}]}], "sourceIdentifier": "responsible-disclosure@pingidentity.com"}