Host Header Injection Vulnerability in CyberArk Privileged Access Manager Self-Hosted
CVE-2024-54840

6.1MEDIUM

Key Information:

Vendor: Cyberark
Status: Privileged Access Manager
Vendor: CVE Published:; 3 February 2025

What is CVE-2024-54840?

The Password Vault Web Access (PVWA) component of CyberArk's Privileged Access Manager Self-Hosted exhibits a vulnerability wherein it fails to adequately validate Host headers. This oversight can lead to potential host header injection attacks, allowing malicious users to manipulate the environment in ways that could compromise system integrity. The issue affects versions prior to 14.4, emphasizing the importance of system upgrades for users to mitigate associated risks.

Affected Version(s)

Privileged Access Manager 0 < 14.4

References

https://docs.cyberark.com/pam-self-hosted/latest/en/conte...

https://gist.github.com/Hurdano/8244855ef8ec364fd98a2693d...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 3, 2025
Vulnerability Reserved
Dec 6, 2024

Cyberark

What is CVE-2024-54840?

Affected Version(s)

References

CVSS V3.1

Timeline