User Attribute Disclosure via DynamoDB Data Stores
CVE-2023-34085

2.6LOW

Key Information:

Vendor: Ping Identity
Status: Pingfederate
Vendor: CVE Published:; 25 October 2023

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2023-34085?

When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request

Affected Version(s)

PingFederate 11.3 <= 11.3.0

References

https://www.pingidentity.com/en/resources/downloads/pingf...

https://docs.pingidentity.com/r/en-us/pingfederate-113/gy...

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Jul 25, 2023