PT-2022-3285 · Ping Identity · Pingid Windows Login

Published

2022-06-30

Updated

2023-07-13

CVE-2022-23725

CVSS v3.1

7.7

High

Vector

AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions PingID Windows Login versions prior to 2.8

Description The issue is related to insufficient protection of registration data in the PingID Windows Login application, which can allow an attacker to access confidential data. The problem arises when the software does not properly set permissions on the Windows Registry entries used to store sensitive API keys under certain circumstances.

Recommendations For versions prior to 2.8, update to version 2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Windows Registry entries used to store sensitive API keys to minimize the risk of exploitation.

Fix

Authentication Bypass Using an Alternate Path or Channel

Insufficiently Protected Credentials

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-522CWE-732

Related Identifiers

BDU:2022-04020

CVE-2022-23725

Affected Products

Pingid Windows Login

PT-2022-3285 · Ping Identity · Pingid Windows Login

CVE-2022-23725

Weakness Enumeration

Related Identifiers

Affected Products

References · 6