CVE-2021-37151
First published: Wed Sep 01 2021(Updated: )
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CyberArk Identity | <21.11.133 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-37151.
What is the severity level of CVE-2021-37151?
The severity level of CVE-2021-37151 is medium.
What is the affected software for CVE-2021-37151?
The affected software for CVE-2021-37151 is CyberArk Identity 21.5.131 up to, but not including, version 21.11.133.
How does CVE-2021-37151 affect CyberArk Identity?
CVE-2021-37151 affects CyberArk Identity by sometimes revealing whether the username is valid during an invalid authentication attempt.
Is there a fix available for CVE-2021-37151?
Yes, a fix is available for CVE-2021-37151. Users should update to version 21.11.133 or later of CyberArk Identity to mitigate this vulnerability.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- agent/source
- vendor/cyberark
- canonical/cyberark identity