CVE-2023-40148

MEDIUM

PingFederate 11.0-11.3 - Unauthenticated Server-Side Request Forgery

Title source: manual

Description

Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests.

References (2)

Core 2

Core References

Various Sources

https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html

Various Sources

https://docs.pingidentity.com/r/en-us/pingfederate-120/tuj1708533127032

Scores

CVSS v3 6.5

EPSS 0.0046

EPSS Percentile 36.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (4)

Ping Identity/PingFederate 11.0.0 - 11.0.8

Ping Identity/PingFederate 11.1.0 - 11.1.8

Ping Identity/PingFederate 11.2.0 - 11.2.7

Ping Identity/PingFederate 11.3.0 - 11.3.2

Published Apr 10, 2024

Tracked Since Feb 18, 2026