3 results (0.023 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36. Una vulnerabilidad de cifrado inadecuado detectada en CyberArk Credential Provider versiones anteriores a 12.1, puede conllevar a una Divulgación de Información. Un atacante puede tener, de forma realista, suficiente información como para que el número de claves posibles (para un archivo de credenciales) sea sólo uno, y el número no suele ser superior a 2^36 • http://packetstormsecurity.com/files/164023/CyberArk-Credential-File-Insufficient-Effective-Key-Space.html http://seclists.org/fulldisclosure/2021/Sep/1 https://korelogic.com/Resources/Advisories/KL-001-2021-008.txt https://www.cyberark.com/resources/blog • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0

The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files. El espacio de claves efectivo usado para cifrar la caché en CyberArk Credential Provider versiones anteriores a 12.1, presenta una entropía baja, y en determinadas condiciones un usuario local malicioso puede obtener el texto plano de los archivos de la caché • http://packetstormsecurity.com/files/164035/CyberArk-Credential-Provider-Local-Cache-Decryption.html http://seclists.org/fulldisclosure/2021/Sep/3 https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt https://www.cyberark.com/resources/blog • CWE-331: Insufficient Entropy •

CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0

The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure. El mecanismo de identificación de usuarios usado por CyberArk Credential Provider versiones anteriores a 12.1, es susceptible a una condición de carrera del host local, conllevando a una divulgación de contraseña CyberArk's Credential Provider loopback communications on TCP port 18923 are encrypted with key material that has extremely low entropy. In all currently-known use cases, the effective key space is less than 2^16. For an attacker who understands the key derivation scheme and encryption mechanics, knowledge of the source port and access to the payloads of a given client-server exchange are sufficient to reduce effective key space to one. In cases where the source port is not known, the encrypted payloads will be unable to withstand a brute force attack. • http://packetstormsecurity.com/files/164033/CyberArk-Credential-Provider-Race-Condition-Authorization-Bypass.html http://seclists.org/fulldisclosure/2021/Sep/2 https://korelogic.com/Resources/Advisories/KL-001-2021-009.txt https://www.cyberark.com/resources/blog • CWE-331: Insufficient Entropy CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •