Search criteria
18 vulnerabilities found for Identity by CyberArk
FKIE_CVE-2024-42340
Vulnerability from fkie_nvd - Published: 2024-08-25 08:15 - Updated: 2024-08-30 19:47
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
References
| URL | Tags | ||
|---|---|---|---|
| cna@cyber.gov.il | https://www.gov.il/en/Departments/faq/cve_advisories | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05F3B3BD-6311-4715-A14E-F12BFAC1C7B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security"
},
{
"lang": "es",
"value": "CyberArk - CWE-602: Aplicaci\u00f3n de la seguridad del lado del cliente en el lado del servidor"
}
],
"id": "CVE-2024-42340",
"lastModified": "2024-08-30T19:47:36.000",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "cna@cyber.gov.il",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-25T08:15:03.290",
"references": [
{
"source": "cna@cyber.gov.il",
"tags": [
"Third Party Advisory"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"sourceIdentifier": "cna@cyber.gov.il",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-602"
}
],
"source": "cna@cyber.gov.il",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-42339
Vulnerability from fkie_nvd - Published: 2024-08-25 07:15 - Updated: 2024-08-30 19:47
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
References
| URL | Tags | ||
|---|---|---|---|
| cna@cyber.gov.il | https://www.gov.il/en/Departments/faq/cve_advisories | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05F3B3BD-6311-4715-A14E-F12BFAC1C7B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
},
{
"lang": "es",
"value": "CyberArk - CWE-200: Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado"
}
],
"id": "CVE-2024-42339",
"lastModified": "2024-08-30T19:47:13.743",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@cyber.gov.il",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-25T07:15:11.067",
"references": [
{
"source": "cna@cyber.gov.il",
"tags": [
"Third Party Advisory"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"sourceIdentifier": "cna@cyber.gov.il",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@cyber.gov.il",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-42338
Vulnerability from fkie_nvd - Published: 2024-08-25 07:15 - Updated: 2024-08-30 19:47
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
References
| URL | Tags | ||
|---|---|---|---|
| cna@cyber.gov.il | https://www.gov.il/en/Departments/faq/cve_advisories | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05F3B3BD-6311-4715-A14E-F12BFAC1C7B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
},
{
"lang": "es",
"value": "CyberArk - CWE-200: Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado"
}
],
"id": "CVE-2024-42338",
"lastModified": "2024-08-30T19:47:46.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@cyber.gov.il",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-25T07:15:10.350",
"references": [
{
"source": "cna@cyber.gov.il",
"tags": [
"Third Party Advisory"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"sourceIdentifier": "cna@cyber.gov.il",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@cyber.gov.il",
"type": "Primary"
}
]
}
FKIE_CVE-2024-42337
Vulnerability from fkie_nvd - Published: 2024-08-25 07:15 - Updated: 2024-08-30 19:47
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
References
| URL | Tags | ||
|---|---|---|---|
| cna@cyber.gov.il | https://www.gov.il/en/Departments/faq/cve_advisories | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "05F3B3BD-6311-4715-A14E-F12BFAC1C7B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
},
{
"lang": "es",
"value": "CyberArk - CWE-200: Exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado"
}
],
"id": "CVE-2024-42337",
"lastModified": "2024-08-30T19:47:49.993",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@cyber.gov.il",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-25T07:15:08.540",
"references": [
{
"source": "cna@cyber.gov.il",
"tags": [
"Third Party Advisory"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"sourceIdentifier": "cna@cyber.gov.il",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@cyber.gov.il",
"type": "Primary"
}
]
}
FKIE_CVE-2022-22700
Vulnerability from fkie_nvd - Published: 2022-03-03 19:15 - Updated: 2024-11-21 06:47
Severity ?
Summary
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
References
| URL | Tags | ||
|---|---|---|---|
| help@fluidattacks.com | https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm | Release Notes, Vendor Advisory | |
| help@fluidattacks.com | https://fluidattacks.com/advisories/porter/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/porter/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8814D49B-A216-498A-B47D-0254C769E6C0",
"versionEndIncluding": "22.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
},
{
"lang": "es",
"value": "CyberArk Identity versiones hasta la 22.1 incluy\u00e9ndola, en el recurso \"StartAuthentication\", exponen el encabezado de respuesta \"X-CFY-TX-TM\". En determinadas configuraciones, ese encabezado de respuesta contiene diferentes rangos de valores predecibles que pueden ser usados para determinar si un usuario se presenta en el tenant"
}
],
"id": "CVE-2022-22700",
"lastModified": "2024-11-21T06:47:16.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T19:15:08.710",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/porter/"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-37151
Vulnerability from fkie_nvd - Published: 2021-09-01 13:15 - Updated: 2024-11-21 06:14
Severity ?
Summary
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD819936-9C28-43AC-90B8-8447B2B343C2",
"versionEndExcluding": "21.11.133",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
},
{
"lang": "es",
"value": "CyberArk Identity versi\u00f3n 21.5.131, cuando maneja un intento de autenticaci\u00f3n no v\u00e1lido, a veces revela si el nombre de usuario es v\u00e1lido. En determinadas configuraciones de pol\u00edticas de autenticaci\u00f3n con MFA, la longitud de la respuesta de la API puede ser usada para diferenciar entre un usuario v\u00e1lido y uno no v\u00e1lido (tambi\u00e9n se conoce como Enumeraci\u00f3n de Nombres de Usuario). La diferenciaci\u00f3n de la respuesta permite a atacantes enumerar los nombres de usuario de los usuarios v\u00e1lidos de la aplicaci\u00f3n. Los atacantes pueden usar esta informaci\u00f3n para aprovechar los ataques de fuerza bruta y de diccionario con el fin de detectar informaci\u00f3n v\u00e1lida de la cuenta, como las contrase\u00f1as"
}
],
"id": "CVE-2021-37151",
"lastModified": "2024-11-21T06:14:44.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-01T13:15:08.367",
"references": [
{
"source": "cna@cyber.gov.il",
"url": "https://www.cyberark.com/products/"
},
{
"source": "cna@cyber.gov.il",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.cyberark.com/products/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"sourceIdentifier": "cna@cyber.gov.il",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-42340 (GCVE-0-2024-42340)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:12 – Updated: 2024-08-26 19:18
VLAI?
Summary
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
Severity ?
8.3 (High)
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identity",
"vendor": "cyberark",
"versions": [
{
"lessThan": "24.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T19:12:54.293755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T19:18:05.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:12:05.219Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0193",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42340",
"datePublished": "2024-08-25T07:12:05.219Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T19:18:05.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42339 (GCVE-0-2024-42339)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:08 – Updated: 2024-08-28 16:01
VLAI?
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T16:00:53.016135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T16:01:09.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:08:37.856Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0192",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42339",
"datePublished": "2024-08-25T07:08:37.856Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T16:01:09.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42338 (GCVE-0-2024-42338)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:07 – Updated: 2024-08-26 15:24
VLAI?
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:24:32.747117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:24:55.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:07:59.731Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0191",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42338",
"datePublished": "2024-08-25T07:07:59.731Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T15:24:55.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42337 (GCVE-0-2024-42337)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:03 – Updated: 2024-08-28 14:17
VLAI?
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T14:17:29.159212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:17:41.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:03:24.805Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0190",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42337",
"datePublished": "2024-08-25T07:03:24.805Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T14:17:41.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22700 (GCVE-0-2022-22700)
Vulnerability from cvelistv5 – Published: 2022-03-03 18:20 – Updated: 2024-08-03 03:21
VLAI?
Summary
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
Severity ?
No CVSS data available.
CWE
- User enumeration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | CyberArk Identity |
Affected:
22.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CyberArk Identity",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-03T18:20:21",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-22700",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CyberArk Identity",
"version": {
"version_data": [
{
"version_value": "22.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/porter/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"name": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm",
"refsource": "MISC",
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-22700",
"datePublished": "2022-03-03T18:20:21",
"dateReserved": "2022-01-05T00:00:00",
"dateUpdated": "2024-08-03T03:21:49.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37151 (GCVE-0-2021-37151)
Vulnerability from cvelistv5 – Published: 2021-09-01 12:35 – Updated: 2024-08-04 01:16
VLAI?
Summary
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
Severity ?
No CVSS data available.
CWE
- Username Enumeration Vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Identity",
"vendor": "CyberArk",
"versions": [
{
"status": "affected",
"version": "21.5.131"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Username Enumeration Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T13:24:35",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-37151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Identity",
"version": {
"version_data": [
{
"version_value": "21.5.131"
}
]
}
}
]
},
"vendor_name": "CyberArk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Username Enumeration Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cyberark.com/products/",
"refsource": "MISC",
"url": "https://www.cyberark.com/products/"
},
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-37151",
"datePublished": "2021-09-01T12:35:08",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42340 (GCVE-0-2024-42340)
Vulnerability from nvd – Published: 2024-08-25 07:12 – Updated: 2024-08-26 19:18
VLAI?
Summary
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
Severity ?
8.3 (High)
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identity",
"vendor": "cyberark",
"versions": [
{
"lessThan": "24.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T19:12:54.293755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T19:18:05.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:12:05.219Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0193",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42340",
"datePublished": "2024-08-25T07:12:05.219Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T19:18:05.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42339 (GCVE-0-2024-42339)
Vulnerability from nvd – Published: 2024-08-25 07:08 – Updated: 2024-08-28 16:01
VLAI?
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T16:00:53.016135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T16:01:09.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:08:37.856Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0192",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42339",
"datePublished": "2024-08-25T07:08:37.856Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T16:01:09.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42338 (GCVE-0-2024-42338)
Vulnerability from nvd – Published: 2024-08-25 07:07 – Updated: 2024-08-26 15:24
VLAI?
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:24:32.747117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:24:55.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:07:59.731Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0191",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42338",
"datePublished": "2024-08-25T07:07:59.731Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T15:24:55.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42337 (GCVE-0-2024-42337)
Vulnerability from nvd – Published: 2024-08-25 07:03 – Updated: 2024-08-28 14:17
VLAI?
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T14:17:29.159212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:17:41.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:03:24.805Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0190",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42337",
"datePublished": "2024-08-25T07:03:24.805Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T14:17:41.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22700 (GCVE-0-2022-22700)
Vulnerability from nvd – Published: 2022-03-03 18:20 – Updated: 2024-08-03 03:21
VLAI?
Summary
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
Severity ?
No CVSS data available.
CWE
- User enumeration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | CyberArk Identity |
Affected:
22.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CyberArk Identity",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-03T18:20:21",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-22700",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CyberArk Identity",
"version": {
"version_data": [
{
"version_value": "22.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/porter/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"name": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm",
"refsource": "MISC",
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-22700",
"datePublished": "2022-03-03T18:20:21",
"dateReserved": "2022-01-05T00:00:00",
"dateUpdated": "2024-08-03T03:21:49.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37151 (GCVE-0-2021-37151)
Vulnerability from nvd – Published: 2021-09-01 12:35 – Updated: 2024-08-04 01:16
VLAI?
Summary
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
Severity ?
No CVSS data available.
CWE
- Username Enumeration Vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Identity",
"vendor": "CyberArk",
"versions": [
{
"status": "affected",
"version": "21.5.131"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Username Enumeration Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T13:24:35",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-37151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Identity",
"version": {
"version_data": [
{
"version_value": "21.5.131"
}
]
}
}
]
},
"vendor_name": "CyberArk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Username Enumeration Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cyberark.com/products/",
"refsource": "MISC",
"url": "https://www.cyberark.com/products/"
},
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-37151",
"datePublished": "2021-09-01T12:35:08",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}