CVE-2021-42001

PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP.

CVSS v3 9.9 CRITICAL
CVSS v2.0 4.0 MEDIUM

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html	Release Notes Vendor Advisory
https://www.pingidentity.com/en/resources/downloads/pingid.html	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pingidentity:pingid_desktop::::::mac_os_x::*
	cpe:2.3:a:pingidentity:pingid_desktop::::::windows::*

History

17 Jul 2023, 15:18

Type	Values Removed	Values Added
CWE	~~CWE-668~~	NVD-CWE-noinfo

03 Sep 2022, 03:55

Type	Values Removed	Values Added
CVSS	v2 : ~~5.0~~ v3 : ~~9.8~~	v2 : 4.0 v3 : 9.9

10 May 2022, 16:36

Type	Values Removed	Values Added
References	~~(MISC) https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html -~~	(MISC) https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html - Release Notes, Vendor Advisory
References	~~(MISC) https://www.pingidentity.com/en/resources/downloads/pingid.html -~~	(MISC) https://www.pingidentity.com/en/resources/downloads/pingid.html - Patch
First Time		Pingidentity pingid Desktop Pingidentity
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 9.8
CPE		cpe:2.3:a:pingidentity:pingid_desktop::::::mac_os_x::* cpe:2.3:a:pingidentity:pingid_desktop::::::windows::*
CWE		CWE-668

30 Apr 2022, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-30 22:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-42001

Mitre link : CVE-2021-42001

CVE.ORG link : CVE-2021-42001

JSON object : View

Products Affected

pingidentity

pingid_desktop

CWE

NVD-CWE-noinfo CWE-310

Cryptographic Issues

{"id": "CVE-2021-42001", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2022-04-30T22:15:08.257", "references": [{"url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "responsible-disclosure@pingidentity.com"}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "tags": ["Patch"], "source": "responsible-disclosure@pingidentity.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP."}, {"lang": "es", "value": "PingID Desktop versiones anteriores a 1.7.3, presenta una configuraci\u00f3n err\u00f3nea en las bibliotecas de cifrado que puede conllevar a una exposici\u00f3n de datos confidenciales. Un atacante capaz de explotar esta vulnerabilidad puede ser capaz de completar con \u00e9xito un desaf\u00edo MFA por medio de OTP"}], "lastModified": "2023-07-17T15:18:30.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingid_desktop:*:*:*:*:*:mac_os_x:*:*", "vulnerable": true, "matchCriteriaId": "35959255-CBEE-4FAB-AADB-437E690C55D6", "versionEndExcluding": "1.7.3"}, {"criteria": "cpe:2.3:a:pingidentity:pingid_desktop:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "1CE56EB1-96EC-48D8-9CE4-1F8CBA26EEAF", "versionEndExcluding": "1.7.3"}], "operator": "OR"}]}], "sourceIdentifier": "responsible-disclosure@pingidentity.com"}