Klayton Monroe

**Name of the Vulnerable Software and Affected Versions** CyberArk Credential Provider versions prior to 12.1 **Description** An inadequate encryption issue may lead to Information Disclosure. An attacker may have enough information to reduce the number of possible keys for a credential file to one, or at most 2^36. **Recommendations** For versions prior to 12.1, update to version 12.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive credential files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** CyberArk Credential Provider versions prior to 12.1 **Description** The issue is related to the low entropy of the effective key space used to encrypt the cache in CyberArk Credential Provider. Under certain conditions, a local malicious user can obtain the plaintext of cache files. **Recommendations** For versions prior to 12.1, update to version 12.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CyberArk Credential Provider versions prior to 12.1 **Description** The user identification mechanism used by CyberArk Credential Provider is susceptible to a local host race condition, leading to password disclosure. **Recommendations** For versions prior to 12.1, update to version 12.1 or later to resolve the issue. As a temporary workaround, consider implementing additional security measures to minimize the risk of password disclosure until a patch is applied.