CVE-2023-36496 : Delegated Admin Privilege virtual attribute provider plugin, when enabled, allow

Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server.

Published 2024-02-01 23:15:09

Updated 2024-02-09 19:47:25

Source Ping Identity Corporation

View at NVD, CVE.org

Products affected by CVE-2023-36496

Pingidentity » Pingdirectory
Versions from including (>=) 8.3.0.0 and up to, including, (<=) 8.3.0.8
cpe:2.3:a:pingidentity:pingdirectory:*:*:*:*:*:*:*:*
Matching versions
Pingidentity » Pingdirectory
Versions from including (>=) 9.0.0.0 and up to, including, (<=) 9.0.0.5
cpe:2.3:a:pingidentity:pingdirectory:*:*:*:*:*:*:*:*
Matching versions
Pingidentity » Pingdirectory
Versions from including (>=) 9.1.0.0 and up to, including, (<=) 9.1.0.2
cpe:2.3:a:pingidentity:pingdirectory:*:*:*:*:*:*:*:*
Matching versions
Pingidentity » Pingdirectory » Version: 9.2.0.0
cpe:2.3:a:pingidentity:pingdirectory:9.2.0.0:*:*:*:*:*:*:*
Matching versions
Pingidentity » Pingdirectory » Version: 9.2.0.1
cpe:2.3:a:pingidentity:pingdirectory:9.2.0.1:*:*:*:*:*:*:*
Matching versions
Pingidentity » Pingdirectory » Version: 9.3.0.0
cpe:2.3:a:pingidentity:pingdirectory:9.3.0.0:*:*:*:*:*:*:*
Matching versions
Pingidentity » Pingdirectory » Version: 9.3.0.1
cpe:2.3:a:pingidentity:pingdirectory:9.3.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-36496

EPSS FAQ

0.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 32 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-36496

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2024-02-09
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.7	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L	1.8	5.3	Ping Identity Corporation	2024-02-02
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: High Availability: Low

CWE ids for CVE-2023-36496

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: responsible-disclosure@pingidentity.com (Secondary)

References for CVE-2023-36496

https://docs.pingidentity.com/r/en-us/pingdirectory-93/ynf1693338390284

Reader • We’re here to help
Release Notes
https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html

PingDirectory Downloads
Product
https://support.pingidentity.com/s/article/SECADV039

PingOne Sign On
Permissions Required

Jump to

Vulnerability Details : CVE-2023-36496

Products affected by CVE-2023-36496

Exploit prediction scoring system (EPSS) score for CVE-2023-36496

CVSS scores for CVE-2023-36496

CWE ids for CVE-2023-36496

References for CVE-2023-36496