CVE-2022-40722: 
PingFederate vulnerability analysis and mitigation

A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators was identified as CVE-2022-40722. The vulnerability was published on April 25, 2023, affecting PingFederate versions 11.1.0 through 11.1.5, 11.2.0 through 11.2.2, and PingID Adapter for PingFederate versions up to 2.13.2 (NVD CVE).

The vulnerability is related to improper implementation of RSA padding in the PingID Adapter for PingFederate's Offline MFA functionality. It has been assigned a CVSS v3.1 base score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N. The vulnerability is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-780 (Use of RSA Algorithm without OAEP) (NVD CVE).

The vulnerability makes the system susceptible to pre-computed dictionary attacks, which could lead to a bypass of offline MFA authentication mechanisms (NVD CVE).

Organizations using affected versions of PingFederate and PingID Adapter should upgrade to the latest versions that contain the security fixes (NVD CVE).