CVE-2022-40722 – Misconfiguration of RSA padding for offline MFA in the PingID Adapter for PingFederate.
https://notcve.org/view.php?id=CVE-2022-40722
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. • https://docs.pingidentity.com/r/en-us/pingid/pingid_adapter_configuring_offline_mfa https://docs.pingidentity.com/r/en-us/pingid/pingid_integration_kit_2_20_rn • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-780: Use of RSA Algorithm without OAEP •
CVE-2022-23721 – PingID integration for Windows login duplicate username collision.
https://notcve.org/view.php?id=CVE-2022-23721
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times. • https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-694: Use of Multiple Resources with Duplicate Identifier •
CVE-2018-25084 – Ping Identity Self-Service Account Manager SSAMController.java cross site scripting
https://notcve.org/view.php?id=CVE-2018-25084
A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2. Affected by this issue is some unknown functionality of the file src/main/java/com/unboundid/webapp/ssam/SSAMController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.1.3 is able to address this issue. • https://github.com/pingidentity/ssam/commit/f64b10d63bb19ca2228b0c2d561a1a6e5a3bf251 https://github.com/pingidentity/ssam/releases/tag/ssam-1.1.3 https://vuldb.com/?ctiid.225362 https://vuldb.com/?id.225362 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-23726
https://notcve.org/view.php?id=CVE-2022-23726
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information. PingCentral versiones anteriores a las enumeradas exponen endpoints de actuadores de Spring Boot que, con autenticación administrativa, devuelven grandes cantidades de información confidencial del entorno y de la aplicación • https://docs.pingidentity.com/bundle/pingcentral-110/page/sdd1651696160285.html https://www.pingidentity.com/en/resources/downloads/pingcentral.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-23725 – PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances
https://notcve.org/view.php?id=CVE-2022-23725
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. PingID Windows Login versiones anteriores a 2.8, no establece correctamente los permisos en las entradas del Registro de Windows usadas para almacenar claves confidenciales de la API en algunas circunstancias • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-522: Insufficiently Protected Credentials CWE-732: Incorrect Permission Assignment for Critical Resource •