PT-2021-21533 · Cyberark · Cyberark Identity
Published
2021-09-01
·
Updated
2022-07-12
·
CVE-2021-37151
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
CyberArk Identity version 21.5.131
Description
The issue allows attackers to differentiate between valid and invalid users through response length, enabling username enumeration. This can be used to leverage brute-force and dictionary attacks to discover valid account information such as passwords.
Recommendations
For CyberArk Identity version 21.5.131, consider restricting access to the authentication API until a patch is available, and review authentication policy configurations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cyberark Identity