CVE-2023-36496

Published: Feb 1, 2024Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server.

Affected (7)

Products: Pingidentity: Pingdirectory

1 product

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Pingidentity Pingdirectory	From 8.3.0.0 to 8.3.0.8
Pingidentity Pingdirectory	From 9.0.0.0 to 9.0.0.5
Pingidentity Pingdirectory	From 9.1.0.0 to 9.1.0.2
Pingidentity Pingdirectory	Version 9.2.0.0
Pingidentity Pingdirectory	Version 9.2.0.1
Pingidentity Pingdirectory	Version 9.3.0.0
Pingidentity Pingdirectory	Version 9.3.0.1

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (6)

https://docs.pingidentity.com/r/en-us/pingdirectory-93/ynf1693338390284

Source: responsible-disclosure@pingidentity.com

Release Notes

https://support.pingidentity.com/s/article/SECADV039

Source: responsible-disclosure@pingidentity.com

Permissions Required

https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html

Source: responsible-disclosure@pingidentity.com

Product

https://docs.pingidentity.com/r/en-us/pingdirectory-93/ynf1693338390284

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://support.pingidentity.com/s/article/SECADV039

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.