PT-2024-12888 · Ping Identity · Pingone Mfa Integration Kit
Published
2024-07-09
·
Updated
2024-07-10
·
CVE-2023-40356
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
PingOne MFA Integration Kit (affected versions not specified)
Description
The issue is related to the Prompt Users to Set Up MFA configuration in the PingOne MFA Integration Kit. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the target’s existing registered devices. A threat actor might be able to exploit this to register their own MFA device with a target user’s account if they have existing knowledge of the target user’s first factor credential.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pingone Mfa Integration Kit