Vulnerability Details CVE-2022-22700
CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 48.8%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm
- https://fluidattacks.com/advisories/porter/
- https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm
- https://fluidattacks.com/advisories/porter/
Products affected by CVE-2022-22700
-
cpe:2.3:a:cyberark:identity:19.1
-
cpe:2.3:a:cyberark:identity:19.2
-
cpe:2.3:a:cyberark:identity:19.3
-
cpe:2.3:a:cyberark:identity:19.4
-
cpe:2.3:a:cyberark:identity:19.5.186
-
cpe:2.3:a:cyberark:identity:19.5.197
-
cpe:2.3:a:cyberark:identity:19.5.200
-
cpe:2.3:a:cyberark:identity:19.5.205
-
cpe:2.3:a:cyberark:identity:19.6.269
-
cpe:2.3:a:cyberark:identity:19.6.273
-
cpe:2.3:a:cyberark:identity:19.6.279
-
cpe:2.3:a:cyberark:identity:20.1.237
-
cpe:2.3:a:cyberark:identity:20.1.242
-
cpe:2.3:a:cyberark:identity:20.1.250
-
cpe:2.3:a:cyberark:identity:20.1.256
-
cpe:2.3:a:cyberark:identity:20.1.257
-
cpe:2.3:a:cyberark:identity:20.1.258
-
cpe:2.3:a:cyberark:identity:20.2.385
-
cpe:2.3:a:cyberark:identity:20.2.386
-
cpe:2.3:a:cyberark:identity:20.2.388
-
cpe:2.3:a:cyberark:identity:20.3.192
-
cpe:2.3:a:cyberark:identity:20.3.197
-
cpe:2.3:a:cyberark:identity:20.4.162
-
cpe:2.3:a:cyberark:identity:20.5.163
-
cpe:2.3:a:cyberark:identity:20.6.137
-
cpe:2.3:a:cyberark:identity:20.6.138
-
cpe:2.3:a:cyberark:identity:20.7.156
-
cpe:2.3:a:cyberark:identity:21.1.109
-
cpe:2.3:a:cyberark:identity:21.10.146
-
cpe:2.3:a:cyberark:identity:21.11.130
-
cpe:2.3:a:cyberark:identity:21.11.133
-
cpe:2.3:a:cyberark:identity:21.2.123
-
cpe:2.3:a:cyberark:identity:21.2.124
-
cpe:2.3:a:cyberark:identity:21.3.135
-
cpe:2.3:a:cyberark:identity:21.4.139
-
cpe:2.3:a:cyberark:identity:21.4.143
-
cpe:2.3:a:cyberark:identity:21.5.131
-
cpe:2.3:a:cyberark:identity:21.6.124
-
cpe:2.3:a:cyberark:identity:21.7.146
-
cpe:2.3:a:cyberark:identity:21.8.126
-
cpe:2.3:a:cyberark:identity:21.8.127
-
cpe:2.3:a:cyberark:identity:21.9.131
-
cpe:2.3:a:cyberark:identity:22.1