What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2022-23722.

What is the severity level of CVE-2022-23722?

The severity level of CVE-2022-23722 is medium.

Which software is affected by CVE-2022-23722?

The Pingidentity Pingfederate software versions 9.3.0 to 9.3.3, 10.0.0 to 10.0.12, 10.1.0 to 10.1.9, 10.2.0 to 10.2.7, 10.3.0 to 10.3.4, and 9.3.3-p15, and 11.0.0 are affected by CVE-2022-23722.

Where can I find more information about CVE-2022-23722?

You can find more information about CVE-2022-23722 at the following references: [link1](https://docs.pingidentity.com/bundle/pingfederate-110/page/spk1642790928508.html) and [link2](https://www.pingidentity.com/en/resources/downloads/pingfederate.html).

Vulnerability/
CVE-2022-23722

medium

6.5

CWE

287 288

2/5/2022

10/5/2022

CVE-2022-23722

First published: Mon May 02 2022(Updated: )

When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing userâ€™s password.

Credit: responsible-disclosure@pingidentity.com

Affected Software	Affected Version	How to fix
Pingidentity Pingfederate	>=9.3.0<9.3.3
Pingidentity Pingfederate	>=10.0.0<10.0.12
Pingidentity Pingfederate	>=10.1.0<10.1.9
Pingidentity Pingfederate	>=10.2.0<10.2.7
Pingidentity Pingfederate	>=10.3.0<10.3.4
Pingidentity Pingfederate	=9.3.3-p15
Pingidentity Pingfederate	=11.0.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-23722.
What is the severity level of CVE-2022-23722?
The severity level of CVE-2022-23722 is medium.
Which software is affected by CVE-2022-23722?
The Pingidentity Pingfederate software versions 9.3.0 to 9.3.3, 10.0.0 to 10.0.12, 10.1.0 to 10.1.9, 10.2.0 to 10.2.7, 10.3.0 to 10.3.4, and 9.3.3-p15, and 11.0.0 are affected by CVE-2022-23722.
How can an existing user reset another existing user's password using CVE-2022-23722?
When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID, or SMS authentication, an existing user can reset another existing user's password.
Where can I find more information about CVE-2022-23722?
You can find more information about CVE-2022-23722 at the following references: [link1](https://docs.pingidentity.com/bundle/pingfederate-110/page/spk1642790928508.html) and [link2](https://www.pingidentity.com/en/resources/downloads/pingfederate.html).

collector/nvd-index
agent/event
vendor/pingidentity
canonical/pingidentity pingfederate
version/pingidentity pingfederate/9.3.0
version/pingidentity pingfederate/10.0.0
version/pingidentity pingfederate/10.1.0
version/pingidentity pingfederate/10.2.0
version/pingidentity pingfederate/10.3.0
version/pingidentity pingfederate/9.3.3-p15
version/pingidentity pingfederate/11.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.