CVE-2022-23720

Name of the Vulnerable Software and Affected Versions PingID Windows Login versions prior to 2.8

Description The issue is related to the incorrect use of privileged APIs in the PingID multi-factor authentication (MFA) software for Windows. This could allow an attacker to elevate their privileges. Specifically, if PingID Windows Login is provisioned with a full permissions PingID properties file, it does not alert or halt operation, which could lead to the exposure of sensitive credentials. An attacker could leverage these credentials to perform administrative actions against PingID APIs or endpoints, such as /api/v1/login or /users/{id}, by exploiting the username and password variables.

Recommendations For versions prior to 2.8, ensure that the full permissions PingID properties file is not used outside of a privileged trust boundary to prevent the exposure of sensitive credentials. As a temporary workaround, consider restricting access to the PingID APIs or endpoints until a patch is available. Avoid using sensitive full permissions properties files in user endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.