CVE-2021-31798

Published: Sep 2, 2021Modified: Nov 21, 2024

4.4

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.8 / Impact: 3.6

Source: NVD

Description

The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.

Affected (1)

Products: Cyberark: Credential Provider

Cyberark

1 product

Credential Provider

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cyberark Credential Provider	Before 12.1

Related CWEs

CWE-331

Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References (8)

http://packetstormsecurity.com/files/164035/CyberArk-Credential-Provider-Local-Cache-Decryption.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2021/Sep/3

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt

Source: cve@mitre.org

Third Party Advisory

https://www.cyberark.com/resources/blog

Source: cve@mitre.org

Product

http://packetstormsecurity.com/files/164035/CyberArk-Credential-Provider-Local-Cache-Decryption.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2021/Sep/3

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://korelogic.com/Resources/Advisories/KL-001-2021-010.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.cyberark.com/resources/blog

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.