CVE-2023-40356

Published: Jul 9, 2024

Modified: Aug 2, 2024

PUBLISHED

Description

PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the target’s existing registered devices. A threat actor might be able to exploit this vulnerability to register their own MFA device with a target user’s account if they have existing knowledge of the target user’s first factor credential.

Vendor	Product	Versions
Ping Identity	PingOne MFA Integration Kit for PingFederate	affected `0 - < 2.3.1`

Weaknesses (CWE)

CWE-290

References

https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-40356

Description

Affected Products

Weaknesses (CWE)

References