Login Sign Up

CVE-2023-37283

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authentication bypass in PingFederate's Identifier First Adapter when configured in a specific, non-recommended way. Attackers could potentially gain unauthorized access to protected resources. Organizations using PingFederate with the Identifier First Adapter in non-standard configurations are affected.

💻 Affected Systems

Products:
  • PingFederate
Versions: All versions up to and including 11.3
Operating Systems: All supported platforms
Default Config Vulnerable: ✅ No
Notes: Only affects systems using the Identifier First Adapter with specific non-recommended configurations

📦 What is this software?

Pingfederate by Pingidentity

View all CVEs affecting Pingfederate →

Pingfederate by Pingidentity

View all CVEs affecting Pingfederate →

Pingfederate by Pingidentity

View all CVEs affecting Pingfederate →

Pingfederate by Pingidentity

View all CVEs affecting Pingfederate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to all protected applications and data behind PingFederate

🟠

Likely Case

Limited unauthorized access to specific applications or resources depending on configuration

🟢

If Mitigated

No impact if proper configuration guidelines are followed

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires specific non-standard configuration to be exploitable

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.1 and later

Vendor Advisory: https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244

Restart Required: Yes

Instructions:

1. Download PingFederate 11.3.1 or later from Ping Identity portal. 2. Backup current configuration. 3. Install the update following PingFederate upgrade procedures. 4. Restart PingFederate services.

🔧 Temporary Workarounds

Reconfigure Identifier First Adapter

all

Modify the Identifier First Adapter configuration to follow Ping Identity recommended practices

🧯 If You Can't Patch

  • Review and reconfigure Identifier First Adapter to eliminate non-standard configurations
  • Implement additional authentication controls or network segmentation for PingFederate

🔍 How to Verify

Check if Vulnerable:

Check PingFederate version and review Identifier First Adapter configuration against Ping Identity recommendations

Check Version:

Check PingFederate admin console or server logs for version information

Verify Fix Applied:

Verify PingFederate version is 11.3.1 or later and confirm Identifier First Adapter follows recommended configuration

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Failed authentication attempts followed by successful access
  • Access from unexpected sources

Network Indicators:

  • Unusual traffic patterns to PingFederate endpoints
  • Authentication bypass attempts

SIEM Query:

source="pingfederate" AND (event_type="authentication" AND result="success" AND previous_event="failure")

📊 Metadata

CVE ID: CVE-2023-37283
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-287
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37283, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)