CVE-2023-40545: 
PingFederate vulnerability analysis and mitigation

CVE-2023-40545 is an authentication bypass vulnerability affecting PingFederate when an OAuth2 Client is using clientsecretjwt as its authentication method on affected 11.3 versions. The vulnerability was discovered and disclosed by Ping Identity Corporation, with the initial public disclosure on February 6, 2024 (NVD).

The vulnerability allows authentication bypass through specially crafted requests when using the clientsecretjwt authentication method. It has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) by NIST, while Ping Identity Corporation assessed it with a High severity rating of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) (NVD).

The vulnerability could allow an attacker to bypass authentication mechanisms, potentially gaining unauthorized access to protected resources. Given the Critical CVSS rating and the nature of the vulnerability, successful exploitation could lead to complete system compromise with high impacts on confidentiality, integrity, and availability (NVD).

Organizations using affected versions of PingFederate 11.3 should upgrade to a patched version. Specific upgrade information and patches are available through Ping Identity's official channels (PingIdentity Downloads).