Article - CS403495
PingIdentity Security Advisory SECADV037: Denial of Service, Information Disclosure & Authentication Bypass Vulnerabilities
Modified: 31-Oct-2023
Applies To
- FlexPLM
- ThingWorx Platform 8.4 and higher versions
- ThingWorx Navigate 1.7.0 and higher versions
- Windchill ProjectLink 11.0 and higher versions
- Windchill PDMLink 11.0 and higher versions
- Windchill MPMLink 11.0 and higher versions
- FlexPLM 11.0 and higher versions
- Windchill Modeler (formerly Integrity Modeler) 9.4 and higher versions
- PTC Arbortext Content Delivery (formerly Servigistics InService) 7.1.4.0 and higher versions
- Vuforia Experience Service 8.5.5 and higher versions
- Windchill RV&S (formerly Integrity Lifecycle Manager) 12.1 and higher versions
Description
- Be advised that there is a security bulletin initiated by PingIdentity related to PingFederate. This is a reported security issue from PingIdentity for customer information
- Ping Identity has confirmed three vulnerabilities in PingFederate:
- CVE-2023-37283: Authentication Bypass via HTML Form & Identifier First Adapter
- Under very specific and strongly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
- CVE-2023-39219: Admin Console Denial of Service via Java class enumeration
- A vulnerability exists in a PingFederate Admin Console dependency making it possible to crash the Admin Console by bombarding it with java class enumeration requests
- CVE-2023-34085: User Attribute Disclosure via DynamoDB Data Stores
- When a DynamoDB table is used for User attribute storage, it is possible to retrieve the attributes of another user via a maliciously crafted request
- CVE-2023-37283: Authentication Bypass via HTML Form & Identifier First Adapter
- Please refer to this Ping Identity Security Advisory Article for details
- Note: A PingIdentity login will be needed to view the Security Advisory article and download relevant patches. Customers will have to create a login if one does not exist already
This is a printer-friendly version of Article 403495 and may be out of date. For the latest version click CS403495