CVE-2022-23719
HIGHPingID Windows Login < 2.8 - Unauthenticated Spoofing via Local Java Service
Title source: llmDescription
PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication.
References (2)
Core 2
Core References
Product, Vendor Advisory x_refsource_misc
https://www.pingidentity.com/en/resources/downloads/pingid.html
Release Notes, Vendor Advisory x_refsource_misc
https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html
Scores
CVSS v3
7.2
EPSS
0.0027
EPSS Percentile
18.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-310
CWE-306
CWE-288
Status
published
Products (1)
pingidentity/pingid_integration_for_windows_login
< 2.8
Published
Jun 30, 2022
Tracked Since
Feb 18, 2026