CVE-2023-40702— PingOne MFA Integration Kit MFA bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-40702
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PingOne MFA Integration Kit MFA bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability to authenticate as a target user if they have existing knowledge of the target user’s first-factor credentials.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用欺骗进行的认证绕过
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ping Identity PingFederate PingOne MFA Integration Kit 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ping Identity PingFederate PingOne MFA Integration Kit是Ping Identity的该集成工具包允许PingFederate使用 PingOne MFA服务进行多因素身份验证 (MFA)。 Ping Identity PingFederate PingOne MFA Integration Kit 2.3.1之前版本存在安全漏洞,该漏洞源于通过配置skipMFA操作可以使用目标用户的身份进行身份验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Ping Identity | PingOne MFA Integration Kit for PingFederate | 0 ~ 2.3.1 | - |
II. Public POCs for CVE-2023-40702
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-40702
请登录查看更多情报信息。
Same Patch Batch · Ping Identity · 2024-07-09 · 5 CVEs total
| CVE-2024-22377 | 5.3 MEDIUM | PingFederate Runtime Node Path Traversal |
| CVE-2024-21832 | 3.5 LOW | PingFederate REST API Data Store Injection |
| CVE-2024-22477 | 1.8 LOW | PingFederate OIDC Policy Management Editor Cross-Site Scripting |
| CVE-2023-40356 | PingOne MFA Integration Kit MFA bypass |
IV. Related Vulnerabilities
Same vendor: Ping Identity
- CVE-2025-20628
Insufficient granularity of access control for Remote Connec - CVE-2025-27935
Authentication Bypass in OTP (One-time Passcode) IdP Adapter - CVE-2025-26862
PingFederate unexpected browser flow initiation in redirectl - CVE-2024-25573
Stored Cross-Site Scripting in Administrative Console Contex - CVE-2025-22854
Possible thread exhaustion from processing http responses in
Same weakness: CWE-290
- CVE-2021-47923
OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie - CVE-2026-42354
Sentry: Improper authentication on SAML SSO process allows u - CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-39858
Traefik: Forwarded alias spoofing top pre-auth decision bypa - CVE-2018-25317
Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness
V. Comments for CVE-2023-40702
No comments yet