Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-31796

An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.

Published

2021-09-02T01:15:06.400

Last Modified

2024-11-21T06:06:14.343

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-327

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cyberark	credential_provider	< 12.1	Yes

References

http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2021/Sep/1 Mailing List, Third Party Advisory ([email protected])
https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt Mailing List, Third Party Advisory ([email protected])
https://www.cyberark.com/resources/blog Product ([email protected])
http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2021/Sep/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cyberark.com/resources/blog Product (af854a3a-2127-422b-91ae-364da2661108)