CVE Published: 30/06/2022 |
CVE Updated: 03/08/2024 |
CVE Year: 2022 Source: Ping Identity |
Vendor: Ping Identity |
Product: PingID Windows Login Status : PUBLISHED
CVE-2022-23719 Description
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
Metrics
CVSS Version: 3.1 |
Base Score: 7.2 HIGH Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* LOCAL Attack Complexity (AC)* HIGH Privileges Required (PR)* HIGH User Interaction (UI)* REQUIRED Scope (S)* CHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* HIGH