CVE Vulnerability

CVE-2021-31796

An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.cyberark.com/resources/blog Product
https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2021/Sep/1 Mailing List Third Party Advisory
http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html Third Party Advisory VDB Entry
Configurations

Configuration 1

cpe:2.3:a:cyberark:credential_provider:*:*:*:*:*:*:*:*
Information

Published : 2021-09-02 01:15

Updated : 2022-07-12 05:42

NVD link : CVE-2021-31796

Mitre link : CVE-2021-31796

Products Affected
No products.
CWE
CWE-327