CVE-2023-39231

medium

Description

PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials.

References

https://www.pingidentity.com/en/resources/downloads/pingid.html

https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394

Details

Source: Mitre, NVD

Published: 2023-10-25

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.0017