CVE-2022-23724
Published: 04 May 2022
Summary
CVE-2022-23724 is a medium-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Pingidentity Pingid Integration For Windows Login. Its CVSS base score is 6.4 (Medium).
Operationally, ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28660
Vulnerability details
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Users can identify logons via alternate paths or channels by reviewing the previous logon time.
Centralized IdPs close alternate authentication paths that enable bypass.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.