CVE-2022-22700
N/A
N/A
Summary
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | CyberArk Identity | 22.1 | affected |
Weaknesses
- User enumeration
ADP Enrichment
CVE Program Container
Additional References
- https://fluidattacks.com/advisories/porter/
- https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm
References
- https://fluidattacks.com/advisories/porter/
- https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.