CVE-2022-23720 – PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file
https://notcve.org/view.php?id=CVE-2022-23720
PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints. PingID Windows Login versiones anteriores a 2.8, no alerta o detiene la operación si ha sido provisto con el archivo de propiedades de PingID con todos los permisos. Un administrador de TI podría desplegar por error credenciales de API PingID con privilegios de administrador, como los usados típicamente por PingFederate, en los endpoints de usuario de PingID Windows Login. • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-269: Improper Privilege Management CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-648: Incorrect Use of Privileged APIs •
CVE-2022-23719 – PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests
https://notcve.org/view.php?id=CVE-2022-23719
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication. PingID Windows Login versiones anteriores a 2.8, no autentica la comunicación con un servicio local de Java usado para capturar peticiones de claves de seguridad. Un atacante con la capacidad de ejecutar código en la máquina objetivo puede ser capaz de explotar y falsificar el servicio local de Java usando múltiples vectores de ataque. • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function CWE-310: Cryptographic Issues •
CVE-2022-23718 – PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution
https://notcve.org/view.php?id=CVE-2022-23718
PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application. PingID Windows Login versiones anteriores a 2.8, usa componentes vulnerables conocidos que pueden conllevar a una ejecución de código remota. Un atacante capaz de lograr una posición sofisticada de tipo man-in-the-middle, o de comprometer los servidores web de Ping Identity, podría entregar código malicioso que sería ejecutado como SYSTEM por la aplicación PingID Windows Login • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-1352: OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components •
CVE-2022-23717 – PingID Windows Login prior to 2.8 denial of service condition
https://notcve.org/view.php?id=CVE-2022-23717
PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication. PingID Windows Login versiones anteriores a 2.8, es vulnerable a una condición de denegación de servicio en máquinas locales cuando es combinado con el uso de claves de seguridad sin conexión como parte de la autenticación • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-404: Improper Resource Shutdown or Release •
CVE-2021-41995 – PingID Mac Login prior to 1.1 vulnerable to pre-computed dictionary attacks
https://notcve.org/view.php?id=CVE-2021-41995
A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. Una configuración errónea de RSA en PingID Mac Login versiones anteriores a 1.1, es vulnerable a ataques de diccionario pre-calculado, conllevando a una omisión de MFA sin conexión • https://docs.pingidentity.com/bundle/pingid/page/hnh1653583508549.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-310: Cryptographic Issues •