First published: Mon May 02 2022(Updated: )
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password.
Credit: responsible-disclosure@pingidentity.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pingidentity Pingfederate | >=9.3.0<9.3.3 | |
Pingidentity Pingfederate | >=10.0.0<10.0.12 | |
Pingidentity Pingfederate | >=10.1.0<10.1.9 | |
Pingidentity Pingfederate | >=10.2.0<10.2.7 | |
Pingidentity Pingfederate | >=10.3.0<10.3.4 | |
Pingidentity Pingfederate | =9.3.3-p15 | |
Pingidentity Pingfederate | =11.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2022-23722.
The severity level of CVE-2022-23722 is medium.
The Pingidentity Pingfederate software versions 9.3.0 to 9.3.3, 10.0.0 to 10.0.12, 10.1.0 to 10.1.9, 10.2.0 to 10.2.7, 10.3.0 to 10.3.4, and 9.3.3-p15, and 11.0.0 are affected by CVE-2022-23722.
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID, or SMS authentication, an existing user can reset another existing user's password.
You can find more information about CVE-2022-23722 at the following references: [link1](https://docs.pingidentity.com/bundle/pingfederate-110/page/spk1642790928508.html) and [link2](https://www.pingidentity.com/en/resources/downloads/pingfederate.html).