CVE-2021-41993 – PingID Android mobile application prior to 1.19 vulnerable to pre-computed dictionary attacks
https://notcve.org/view.php?id=CVE-2021-41993
A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login. Una configuración errónea de RSA en la aplicación PingID para Android versiones anteriores a 1.19, es vulnerable a ataques de diccionario precalculado, conllevando a una omisión de MFA sin conexión cuando es usado PingID Windows Login • https://docs.pingidentity.com/bundle/pingid/page/zvy1641459415679.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-310: Cryptographic Issues CWE-330: Use of Insufficiently Random Values •
CVE-2021-41992 – PingID Windows Login RSA cryptographic weakness with possible offline MFA bypass
https://notcve.org/view.php?id=CVE-2021-41992
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. Una configuración errónea de RSA en PingID Windows Login versiones anteriores a 2.7, es vulnerable a ataques de diccionario precalculado, conllevando a una omisión de MFA sin conexión • https://docs.pingidentity.com/bundle/pingid/page/klc1641469599716.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-310: Cryptographic Issues •
CVE-2021-42000 – Ping Identity PingFederate Password Reset and Password Change Mishandling with an authentication policy in parallel reset flows
https://notcve.org/view.php?id=CVE-2021-42000
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password. Cuando es configurado un flujo de restablecimiento o cambio de contraseña con una política de autenticación y el adaptador de la política de restablecimiento o cambio admite varios flujos de restablecimiento paralelos, un usuario existente puede restablecer la contraseña de otro usuario existente • https://docs.pingidentity.com/bundle/pingfederate-103/page/hhm1634833631515.html https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-285: Improper Authorization •
CVE-2021-41770
https://notcve.org/view.php?id=CVE-2021-41770
Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure. Ping Identity PingFederate versiones anteriores a 10.3.1, maneja inapropiadamente la comprobación de preanálisis, conllevando a un ataque de tipo XXE que puede lograr una divulgación de archivos XML • https://docs.pingidentity.com/bundle/pingfederate-103/page/ruz1628492711606.html https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2021-40329
https://notcve.org/view.php?id=CVE-2021-40329
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. La API de autenticación en Ping Identity PingFederate versiones anteriores a 10.3, maneja inapropiadamente determinados aspectos de la administración de contraseñas externas • https://docs.pingidentity.com/bundle/pingfederate-103/page/cou1615333347158.html •