CVE-2023-34085: 
PingFederate vulnerability analysis and mitigation

When an AWS DynamoDB table is used for user attribute storage in PingFederate, it is possible to retrieve the attributes of another user using a maliciously crafted request. This vulnerability (CVE-2023-34085) was disclosed on October 25, 2023, affecting PingFederate versions up to 11.3.0 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, requires no user interaction, has unchanged scope, and can impact confidentiality at a low level without affecting integrity or availability (NVD).

The vulnerability allows unauthorized access to user attributes stored in AWS DynamoDB tables. An attacker can potentially view sensitive user information, leading to a breach of data confidentiality (NVD).

The vulnerability has been addressed in versions after PingFederate 11.3.0. Organizations using affected versions should upgrade to a patched version to mitigate this security risk (PingFederate Release).