CVE-2021-42001

PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP.

CVSS v3 8.0 HIGH
CVSS v2.0 4.0 MEDIUM

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html	Release Notes Vendor Advisory
https://www.pingidentity.com/en/resources/downloads/pingid.html	Patch
https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html	Release Notes Vendor Advisory
https://www.pingidentity.com/en/resources/downloads/pingid.html	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pingidentity:pingid_desktop::::::mac_os_x::*
	cpe:2.3:a:pingidentity:pingid_desktop::::::windows::*

History

21 Nov 2024, 06:27

Type	Values Removed	Values Added
References	~~() https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html - Release Notes, Vendor Advisory~~	() https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html - Release Notes, Vendor Advisory
References	~~() https://www.pingidentity.com/en/resources/downloads/pingid.html - Patch~~	() https://www.pingidentity.com/en/resources/downloads/pingid.html - Patch
CVSS	v2 : ~~4.0~~ v3 : ~~9.9~~	v2 : 4.0 v3 : 8.0

17 Jul 2023, 15:18

Type	Values Removed	Values Added
CWE	~~CWE-668~~	NVD-CWE-noinfo

Information

Published : 2022-04-30 22:15

Updated : 2024-11-21 06:27

NVD link : CVE-2021-42001

Mitre link : CVE-2021-42001

CVE.ORG link : CVE-2021-42001

JSON object : View

Products Affected

pingidentity

pingid_desktop

CWE

CWE-310

Cryptographic Issues

NVD-CWE-noinfo

{"id": "CVE-2021-42001", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2022-04-30T22:15:08.257", "references": [{"url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "responsible-disclosure@pingidentity.com"}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "tags": ["Patch"], "source": "responsible-disclosure@pingidentity.com"}, {"url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "responsible-disclosure@pingidentity.com", "description": [{"lang": "en", "value": "CWE-310"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP."}, {"lang": "es", "value": "PingID Desktop versiones anteriores a 1.7.3, presenta una configuraci\u00f3n err\u00f3nea en las bibliotecas de cifrado que puede conllevar a una exposici\u00f3n de datos confidenciales. Un atacante capaz de explotar esta vulnerabilidad puede ser capaz de completar con \u00e9xito un desaf\u00edo MFA por medio de OTP"}], "lastModified": "2024-11-21T06:27:03.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingid_desktop:*:*:*:*:*:mac_os_x:*:*", "vulnerable": true, "matchCriteriaId": "35959255-CBEE-4FAB-AADB-437E690C55D6", "versionEndExcluding": "1.7.3"}, {"criteria": "cpe:2.3:a:pingidentity:pingid_desktop:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "1CE56EB1-96EC-48D8-9CE4-1F8CBA26EEAF", "versionEndExcluding": "1.7.3"}], "operator": "OR"}]}], "sourceIdentifier": "responsible-disclosure@pingidentity.com"}