CVE-2021-42000 : What You Need to Know
Discover the impact of CVE-2021-42000 affecting PingFederate versions 9.3.3-P15 through 10.3.2. Learn about the vulnerability allowing users to reset passwords of other users and the necessary mitigation steps.
Ping Identity's PingFederate version 9.3.3-P15 through 10.3.2 is affected by a vulnerability allowing users to reset other users' passwords.
Understanding CVE-2021-42000
A vulnerability in PingFederate allows users to reset passwords of other users due to mishandling in authentication policies.
What is CVE-2021-42000?
- Configuration of password reset with authentication policies allows users to reset passwords of other existing users.
The Impact of CVE-2021-42000
- CVSS Base Score: 5.3 (Medium Severity)
- Attack Complexity: High
- Attack Vector: Network
- Integrity Impact: High
- User Interaction: Required
Technical Details of CVE-2021-42000
A detailed overview of the technical aspects of this CVE
Vulnerability Description
- Existing users can reset passwords of other users in parallel reset flows.
Affected Systems and Versions
- PingFederate versions 9.3.3-P15 up to 10.3.2 are affected.
Exploitation Mechanism
- Users with access to reset flows can exploit the vulnerability to reset passwords of other users.
Mitigation and Prevention
Protecting your system from CVE-2021-42000
Immediate Steps to Take
- Update PingFederate to patched versions 9.3.3-P16, 10.0.12, 10.1.9, 10.2.7, or 10.3.3.
Long-Term Security Practices
- Regularly review and update authentication policies and configurations.
- Educate users about safe password practices.
Patching and Updates
- Stay informed about security updates and promptly apply patches.