CVE-2022-22700

MEDIUM

CyberArk Identity <= 22.1 - Info Disclosure

Title source: llm

Description

CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.

References (2)

[Exploit, Third Party Advisory] https://fluidattacks.com/advisories/porter/

[Release Notes, Vendor Advisory] https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm

Scores

CVSS v3 5.3

EPSS 0.0026

EPSS Percentile 48.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-330

Status published

Products (1)

cyberark/identity < 22.1

Published Mar 03, 2022

Tracked Since Feb 18, 2026