Search criteria
12 vulnerabilities found for Identity by CyberArk
CVE-2024-42340 (GCVE-0-2024-42340)
Vulnerability from nvd – Published: 2024-08-25 07:12 – Updated: 2024-08-26 19:18
VLAI?
Title
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
Summary
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
Severity ?
8.3 (High)
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identity",
"vendor": "cyberark",
"versions": [
{
"lessThan": "24.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T19:12:54.293755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T19:18:05.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:12:05.219Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0193",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42340",
"datePublished": "2024-08-25T07:12:05.219Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T19:18:05.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42339 (GCVE-0-2024-42339)
Vulnerability from nvd – Published: 2024-08-25 07:08 – Updated: 2024-08-28 16:01
VLAI?
Title
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T16:00:53.016135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T16:01:09.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:08:37.856Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0192",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42339",
"datePublished": "2024-08-25T07:08:37.856Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T16:01:09.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42338 (GCVE-0-2024-42338)
Vulnerability from nvd – Published: 2024-08-25 07:07 – Updated: 2024-08-26 15:24
VLAI?
Title
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:24:32.747117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:24:55.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:07:59.731Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0191",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42338",
"datePublished": "2024-08-25T07:07:59.731Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T15:24:55.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42337 (GCVE-0-2024-42337)
Vulnerability from nvd – Published: 2024-08-25 07:03 – Updated: 2024-08-28 14:17
VLAI?
Title
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T14:17:29.159212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:17:41.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:03:24.805Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0190",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42337",
"datePublished": "2024-08-25T07:03:24.805Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T14:17:41.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22700 (GCVE-0-2022-22700)
Vulnerability from nvd – Published: 2022-03-03 18:20 – Updated: 2024-08-03 03:21
VLAI?
Summary
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
Severity ?
No CVSS data available.
CWE
- User enumeration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | CyberArk Identity |
Affected:
22.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CyberArk Identity",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-03T18:20:21",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-22700",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CyberArk Identity",
"version": {
"version_data": [
{
"version_value": "22.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/porter/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"name": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm",
"refsource": "MISC",
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-22700",
"datePublished": "2022-03-03T18:20:21",
"dateReserved": "2022-01-05T00:00:00",
"dateUpdated": "2024-08-03T03:21:49.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37151 (GCVE-0-2021-37151)
Vulnerability from nvd – Published: 2021-09-01 12:35 – Updated: 2024-08-04 01:16
VLAI?
Summary
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
Severity ?
No CVSS data available.
CWE
- Username Enumeration Vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Identity",
"vendor": "CyberArk",
"versions": [
{
"status": "affected",
"version": "21.5.131"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Username Enumeration Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T13:24:35",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-37151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Identity",
"version": {
"version_data": [
{
"version_value": "21.5.131"
}
]
}
}
]
},
"vendor_name": "CyberArk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Username Enumeration Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cyberark.com/products/",
"refsource": "MISC",
"url": "https://www.cyberark.com/products/"
},
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-37151",
"datePublished": "2021-09-01T12:35:08",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42340 (GCVE-0-2024-42340)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:12 – Updated: 2024-08-26 19:18
VLAI?
Title
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
Summary
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
Severity ?
8.3 (High)
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberark:identity:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "identity",
"vendor": "cyberark",
"versions": [
{
"lessThan": "24.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T19:12:54.293755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T19:18:05.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602: Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:12:05.219Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0193",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42340",
"datePublished": "2024-08-25T07:12:05.219Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T19:18:05.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42339 (GCVE-0-2024-42339)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:08 – Updated: 2024-08-28 16:01
VLAI?
Title
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42339",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T16:00:53.016135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T16:01:09.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:08:37.856Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0192",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42339",
"datePublished": "2024-08-25T07:08:37.856Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T16:01:09.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42338 (GCVE-0-2024-42338)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:07 – Updated: 2024-08-26 15:24
VLAI?
Title
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:24:32.747117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:24:55.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:07:59.731Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0191",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42338",
"datePublished": "2024-08-25T07:07:59.731Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-26T15:24:55.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42337 (GCVE-0-2024-42337)
Vulnerability from cvelistv5 – Published: 2024-08-25 07:03 – Updated: 2024-08-28 14:17
VLAI?
Title
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Summary
CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CyberArk | CyberArk Identity Management |
Affected:
All versions , < Upgrade to latest version
(custom)
|
Credits
Dudu Moyal, Moriel Harush - Peer Security LTD
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T14:17:29.159212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:17:41.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberArk Identity Management",
"vendor": "CyberArk",
"versions": [
{
"lessThan": "Upgrade to latest version",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dudu Moyal, Moriel Harush - Peer Security LTD"
}
],
"datePublic": "2024-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\u003cbr\u003e"
}
],
"value": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T07:03:24.805Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Upgrade to latest version"
}
],
"source": {
"advisory": "ILVN-2024-0190",
"discovery": "UNKNOWN"
},
"title": "CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2024-42337",
"datePublished": "2024-08-25T07:03:24.805Z",
"dateReserved": "2024-07-30T09:20:10.447Z",
"dateUpdated": "2024-08-28T14:17:41.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22700 (GCVE-0-2022-22700)
Vulnerability from cvelistv5 – Published: 2022-03-03 18:20 – Updated: 2024-08-03 03:21
VLAI?
Summary
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
Severity ?
No CVSS data available.
CWE
- User enumeration
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | CyberArk Identity |
Affected:
22.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CyberArk Identity",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "22.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-03T18:20:21",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-22700",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CyberArk Identity",
"version": {
"version_data": [
{
"version_value": "22.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity versions up to and including 22.1 in the \u0027StartAuthentication\u0027 resource, exposes the response header \u0027X-CFY-TX-TM\u0027. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/porter/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/porter/"
},
{
"name": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm",
"refsource": "MISC",
"url": "https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-22700",
"datePublished": "2022-03-03T18:20:21",
"dateReserved": "2022-01-05T00:00:00",
"dateUpdated": "2024-08-03T03:21:49.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37151 (GCVE-0-2021-37151)
Vulnerability from cvelistv5 – Published: 2021-09-01 12:35 – Updated: 2024-08-04 01:16
VLAI?
Summary
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
Severity ?
No CVSS data available.
CWE
- Username Enumeration Vulnerability
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:02.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Identity",
"vendor": "CyberArk",
"versions": [
{
"status": "affected",
"version": "21.5.131"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Username Enumeration Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-02T13:24:35",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cyberark.com/products/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"ID": "CVE-2021-37151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Identity",
"version": {
"version_data": [
{
"version_value": "21.5.131"
}
]
}
}
]
},
"vendor_name": "CyberArk"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Username Enumeration Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cyberark.com/products/",
"refsource": "MISC",
"url": "https://www.cyberark.com/products/"
},
{
"name": "https://www.gov.il/en/departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/departments/faq/cve_advisories"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2021-37151",
"datePublished": "2021-09-01T12:35:08",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:02.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}