CVE-2021-42001 - OpenCVE

PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pingidentity	Pingid Desktop

Configuration 1 [-]

OR	cpe:2.3:a:pingidentity:pingid_desktop::::::mac_os_x::*
	cpe:2.3:a:pingidentity:pingid_desktop::::::windows::*

No data.

References

Link	Providers
https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html
https://www.pingidentity.com/en/resources/downloads/pingid.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published: 2022-04-30T21:15:24

Updated: 2024-08-04T03:22:25.903Z

Reserved: 2021-10-04T00:00:00

Link: CVE-2021-42001

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-30T22:15:08.257

Modified: 2023-07-17T15:18:30.023

Link: CVE-2021-42001

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "PingID Desktop", "vendor": "Ping Identity", "versions": [{"lessThan": "1.7.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"platforms": ["macOS X"], "product": "PingID Desktop", "vendor": "Ping Identity", "versions": [{"lessThan": "1.7.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."}], "descriptions": [{"lang": "en", "value": "PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-310", "description": "CWE-310 Cryptographic Issues", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-30T21:15:23", "orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html"}], "source": {"advisory": "SECADV030", "discovery": "EXTERNAL"}, "title": "PingID Desktop encryption libraries misconfiguration can lead to sensitive data exposure", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "responsible-disclosure@pingidentity.com", "ID": "CVE-2021-42001", "STATE": "PUBLIC", "TITLE": "PingID Desktop encryption libraries misconfiguration can lead to sensitive data exposure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PingID Desktop", "version": {"version_data": [{"platform": "Windows", "version_affected": "<", "version_value": "1.7.3"}]}}, {"product_name": "PingID Desktop", "version": {"version_data": [{"platform": "macOS X", "version_affected": "<", "version_value": "1.7.3"}]}}]}, "vendor_name": "Ping Identity"}]}}, "credit": [{"lang": "eng", "value": "Ping Identity credits The Commonwealth Bank of Australia for the discovery of this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-310 Cryptographic Issues"}]}]}, "references": {"reference_data": [{"name": "https://www.pingidentity.com/en/resources/downloads/pingid.html", "refsource": "MISC", "url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"}, {"name": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html", "refsource": "MISC", "url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html"}]}, "source": {"advisory": "SECADV030", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:22:25.903Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html"}]}]}, "cveMetadata": {"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "assignerShortName": "Ping Identity", "cveId": "CVE-2021-42001", "datePublished": "2022-04-30T21:15:24", "dateReserved": "2021-10-04T00:00:00", "dateUpdated": "2024-08-04T03:22:25.903Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingid_desktop:*:*:*:*:*:mac_os_x:*:*", "matchCriteriaId": "35959255-CBEE-4FAB-AADB-437E690C55D6", "versionEndExcluding": "1.7.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingid_desktop:*:*:*:*:*:windows:*:*", "matchCriteriaId": "1CE56EB1-96EC-48D8-9CE4-1F8CBA26EEAF", "versionEndExcluding": "1.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP."}, {"lang": "es", "value": "PingID Desktop versiones anteriores a 1.7.3, presenta una configuraci\u00f3n err\u00f3nea en las bibliotecas de cifrado que puede conllevar a una exposici\u00f3n de datos confidenciales. Un atacante capaz de explotar esta vulnerabilidad puede ser capaz de completar con \u00e9xito un desaf\u00edo MFA por medio de OTP"}], "id": "CVE-2021-42001", "lastModified": "2023-07-17T15:18:30.023", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}, "published": "2022-04-30T22:15:08.257", "references": [{"source": "responsible-disclosure@pingidentity.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.pingidentity.com/bundle/pingid/page/dyt1645545885978.html"}, {"source": "responsible-disclosure@pingidentity.com", "tags": ["Patch"], "url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"}], "sourceIdentifier": "responsible-disclosure@pingidentity.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-310"}], "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}