CVE-2021-31796

EUVD-2021-18677
An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
cyberarkcredential_provider
𝑥
< 12.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html
http://seclists.org/fulldisclosure/2021/Sep/1
https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt
https://www.cyberark.com/resources/blog
http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html
http://seclists.org/fulldisclosure/2021/Sep/1
https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt
https://www.cyberark.com/resources/blog