CVE-2021-37151 is a vulnerability in CyberArk Identity
Published on September 1, 2021
CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.
Products Associated with CVE-2021-37151
Want to know whenever a new CVE is published for CyberArk Identity? stack.watch will email you.
Affected Versions
CyberArk Identity Version 21.5.131 is affected by CVE-2021-37151Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.