CVE-2023-40356

09.07.2024, 16:15

PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the targets existing registered devices. A threat actor might be able to exploit this vulnerability to register their own MFA device with a target users account if they have existing knowledge of the target users first factor credential.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Ping Identity	CNA	---	---
CISA-ADP	ADP	---	---
CVE	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Common Weakness Enumeration

CWE-290 - Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.

References

https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394