CVE-2022-23720
Summary
| CVE | CVE-2022-23720 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-30 20:15:00 UTC |
| Updated | 2022-07-13 17:13:00 UTC |
| Description | PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints. |
Risk And Classification
Problem Types: CWE-269
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Pingidentity | Pingid Integration For Windows Login | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| PingID Downloads | MISC | www.pingidentity.com | |
| Ping Identity Documentation Portal | MISC | docs.pingidentity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability.
There are currently no legacy QID mappings associated with this CVE.