Vulnerabilities > CVE-2021-31797 - Insufficient Entropy vulnerability in Cyberark Credential Provider
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
References
- http://packetstormsecurity.com/files/164033/CyberArk-Credential-Provider-Race-Condition-Authorization-Bypass.html
- http://packetstormsecurity.com/files/164033/CyberArk-Credential-Provider-Race-Condition-Authorization-Bypass.html
- http://seclists.org/fulldisclosure/2021/Sep/2
- http://seclists.org/fulldisclosure/2021/Sep/2
- https://korelogic.com/Resources/Advisories/KL-001-2021-009.txt
- https://korelogic.com/Resources/Advisories/KL-001-2021-009.txt
- https://www.cyberark.com/resources/blog
- https://www.cyberark.com/resources/blog