9 results (0.006 seconds)

CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0

PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times. • https://docs.pingidentity.com/r/en-us/pingid/davinci_pingid_windows_login_relnotes_2.9 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-694: Use of Multiple Resources with Duplicate Identifier •

CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0

PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. PingID Windows Login versiones anteriores a 2.8, no establece correctamente los permisos en las entradas del Registro de Windows usadas para almacenar claves confidenciales de la API en algunas circunstancias • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-522: Insufficiently Protected Credentials CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0

PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints. PingID Windows Login versiones anteriores a 2.8, no alerta o detiene la operación si ha sido provisto con el archivo de propiedades de PingID con todos los permisos. Un administrador de TI podría desplegar por error credenciales de API PingID con privilegios de administrador, como los usados típicamente por PingFederate, en los endpoints de usuario de PingID Windows Login. • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-269: Improper Privilege Management CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-648: Incorrect Use of Privileged APIs •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication. PingID Windows Login versiones anteriores a 2.8, no autentica la comunicación con un servicio local de Java usado para capturar peticiones de claves de seguridad. Un atacante con la capacidad de ejecutar código en la máquina objetivo puede ser capaz de explotar y falsificar el servicio local de Java usando múltiples vectores de ataque. • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function CWE-310: Cryptographic Issues •

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0

PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application. PingID Windows Login versiones anteriores a 2.8, usa componentes vulnerables conocidos que pueden conllevar a una ejecución de código remota. Un atacante capaz de lograr una posición sofisticada de tipo man-in-the-middle, o de comprometer los servidores web de Ping Identity, podría entregar código malicioso que sería ejecutado como SYSTEM por la aplicación PingID Windows Login • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-1352: OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components •