CVE-2023-39231

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394	Release Notes
https://www.pingidentity.com/en/resources/downloads/pingid.html	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:*:*:*:*:*:*:*

History

31 Oct 2023, 18:47

Type	Values Removed	Values Added
CWE		CWE-306
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~(MISC) https://www.pingidentity.com/en/resources/downloads/pingid.html -~~	(MISC) https://www.pingidentity.com/en/resources/downloads/pingid.html - Product
References	~~(MISC) https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 -~~	(MISC) https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 - Release Notes
First Time		Pingidentity pingone Mfa Integration Kit Pingidentity
CPE		cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:::::::*

25 Oct 2023, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-25 18:17

Updated : 2023-12-10 15:14

NVD link : CVE-2023-39231

Mitre link : CVE-2023-39231

CVE.ORG link : CVE-2023-39231

JSON object : View

Products Affected

pingidentity

pingone_mfa_integration_kit

CWE

CWE-306

Missing Authentication for Critical Function

CWE-288

Authentication Bypass Using an Alternate Path or Channel

{"id": "CVE-2023-39231", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}]}, "published": "2023-10-25T18:17:29.030", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394", "tags": ["Release Notes"], "source": "responsible-disclosure@pingidentity.com"}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "tags": ["Product"], "source": "responsible-disclosure@pingidentity.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "description": [{"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials."}, {"lang": "es", "value": "PingFederate utilizando el adaptador PingOne MFA permite emparejar un nuevo dispositivo MFA sin requerir autenticaci\u00f3n de segundo factor de un dispositivo registrado existente. Un actor de amenazas puede aprovechar esta vulnerabilidad para registrar su propio dispositivo MFA si tiene conocimiento de las credenciales del primer factor del usuario v\u00edctima."}], "lastModified": "2023-10-31T18:47:42.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingone_mfa_integration_kit:2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "086259D3-A4AD-4AB0-BD5D-5BC61667F870"}], "operator": "OR"}]}], "sourceIdentifier": "responsible-disclosure@pingidentity.com"}