Username Enumeration Vulnerability in CyberArk Identity
CVE-2021-37151

5.3MEDIUM

Key Information:

Vendor: Cyberark
Status: Identity
Vendor: CVE Published:; 1 September 2021

What is CVE-2021-37151?

An issue in CyberArk Identity version 21.5.131 allows an attacker to ascertain whether a username exists within the application by observing the differences in API response lengths for valid and invalid authentication attempts. This vulnerability can be exploited in specific configurations involving Multi-Factor Authentication (MFA), where response timing can inadvertently provide insights into known usernames. As a result, attackers may leverage this flaw to conduct enumeration attacks, leading to subsequent brute-force or dictionary attacks aimed at compromising user accounts and extracting sensitive information such as passwords.

Affected Version(s)

Identity 21.5.131

References

https://www.cyberark.com/products/

x_refsource_MISC

https://www.gov.il/en/departments/faq/cve_advisories

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 1, 2021
Vulnerability Reserved
Jul 21, 2021

Cyberark

What is CVE-2021-37151?

Affected Version(s)

References

CVSS V3.1

Timeline