cvedb.io
CVE-2021-37151
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2021-09-01T13:15:08.367 · Last modified 2026-06-17T04:00:09.027

Summary

CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.

Affected products

cyberark — identity

Does this affect you?

Add your gear to cvedb and we'll alert you only when cyberark ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.