MidnightBSD

Advisories for cyberark

CVE-2017-11197

In CyberArk Viewfinity 5.5.10.95 and 6.x before 6.1.1.220, a low privilege user can escalate to an administrative user via a bug within the "add printer" option.

Products Affected

Vendor Product Version
cyberark viewfinity 5.5.10.95
cyberark viewfinity *
CVE-2018-12903 LOW

In CyberArk Endpoint Privilege Manager (formerly Viewfinity) 10.2.1.603, there is persistent XSS via an account name on the create token screen, the VfManager.asmx SelectAccounts->DisplayName screen, a user's groups in ConfigurationPage, the Dialog Title field, and App Group Name in the Application Group Wizard.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager 10.2.1.603
CVE-2018-13052 HIGH

In CyberArk Endpoint Privilege Manager (formerly Viewfinity), Privilege Escalation is possible if the attacker has one process that executes as Admin.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager -
CVE-2018-14894 MEDIUM

CyberArk Endpoint Privilege Manager 10.2.1.603 and earlier allows an attacker (who is able to edit permissions of a file) to bypass intended access restrictions and execute blocked applications.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager *
CVE-2018-9842 MEDIUM

CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
cyberark password_vault *
CVE-2018-9843 HIGH

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
cyberark password_vault *
CVE-2019-3800 LOW

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,CWE-200,

Products Affected

Vendor Product Version
pivotal cloud_foundry_networking_release *
yugabyte db_enterprise *
appdynamics application_performance_monitoring *
tibco businessworks_buildpack *
pivotal cloud_foundry_deployment_concourse_tasks *
apigee edge_service_broker *
cyberark conjur_service_broker *
microsoft azure_service_broker *
snyk service_broker *
pivotal cloud_foundry_command_line_interface *
pivotal cloud_foundry_notifications *
anynines redis *
synopsys seeker_iast_service_broker *
newrelic service_broker *
wavefront wavefront_by_vmware_nozzle *
pivotal application_service *
dynatrace service_broker *
google google_cloud_platform_service_broker *
ibm websphere_liberty_ *
microsoft azure_log_analytics_nozzle *
pivotal cloud_foundry_log_cache_release *
contrastsecurity service_broker *
pivotal cloud_foundry_command_line_interface_release *
anynines mongodb *
pivotal credhub_service_broker_for_pcf *
appdynamics platform_montioring *
sumologic nozzle *
pivotal metric_registrar_release *
anynines postgresql *
datadoghq application_monitoring *
solace pubsub+ *
pivotal cloud_foundry_autoscaling_release *
pivotal cloud_foundry_routing_release *
pagerduty service_broker *
pivotal cloud_foundry_event_alerts *
bluemedora nozzle *
pivotal cloud_foundry_healthwatch *
samba volume_service *
forgerock service_broker *
anynines rabbitmq *
anynines elasticsearch *
newrelic dotnet_extension_buildpack *
pivotal cloud_foundry_smoke_test *
pivotal single_sign-on *
pivotal pivotal_cloud_foundry_service_broker *
datastax enterprise_service_broker *
riverbed steelcentral_appinternals *
newrelic nozzle *
appdynamics application_analytics *
anynines logme *
anynines mysql *
pivotal cloud_foundry_deployment *
signalsciences service_broker *
pivotal on_demand_service_broker *
splunk nozzle *
CVE-2019-7442 HIGH

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
cyberark enterprise_password_vault *
CVE-2019-9627 MEDIUM

A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager *
CVE-2020-25374 LOW

CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers to discover internal pathnames by reading an error popup message after two hours of idle time.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-613,

Products Affected

Vendor Product Version
cyberark privileged_session_manager 10.9.0.15
CVE-2020-25738 LOW

CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a process that normally has credential access, such as a Chrome process that reads credentials from a SQLite database.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-427,

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager 11.1.0.173
CVE-2020-4062 HIGH

In Conjur OSS Helm Chart before 2.0.0, a recently identified critical vulnerability resulted in the installation of the Conjur Postgres database with an open port. This allows an attacker to gain full read & write access to the Conjur Postgres database, including escalating the attacker's privileges to assume full control. A malicious actor who knows the IP address and port number of the Postgres database and has access into the Kubernetes cluster where Conjur runs can gain full read & write access to the Postgres database. This enables the attacker to write a policy that allows full access to retrieve any secret. This Helm chart is a method to install Conjur OSS into a Kubernetes environment. Hence, the systems impacted are only Conjur OSS systems that were deployed using this chart. Other deployments including Docker and the CyberArk Dynamic Access Provider (DAP) are not affected. To remediate this vulnerability, clone the latest Helm Chart and follow the upgrade instructions. If you are not able to fully remediate this vulnerability immediately, you can mitigate some of the risk by making sure Conjur OSS is deployed on an isolated Kubernetes cluster or namespace. The term "isolated" refers to: - No other workloads besides Conjur OSS and its backend database are running in that Kubernetes cluster/namespace. - Kubernetes and helm access to the cluster/namespace is limited to security administrators via Role-Based Access Control (RBAC).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.7 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N 2.3 5.8
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
cyberark conjur_oss_helm_chart *
CVE-2021-31796 MEDIUM

An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
cyberark credential_provider *
CVE-2021-31797 LOW

The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 1.4 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-331,CWE-362,

Products Affected

Vendor Product Version
cyberark credential_provider *
CVE-2021-31798 LOW

The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-331,

Products Affected

Vendor Product Version
cyberark credential_provider *
CVE-2021-37151 MEDIUM

CyberArk Identity 21.5.131, when handling an invalid authentication attempt, sometimes reveals whether the username is valid. In certain authentication policy configurations with MFA, the API response length can be used to differentiate between a valid user and an invalid one (aka Username Enumeration). Response differentiation enables attackers to enumerate usernames of valid application users. Attackers can use this information to leverage brute-force and dictionary attacks in order to discover valid account information such as passwords.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
cyberark identity *
CVE-2021-44049 MEDIUM

CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20 allows a local user to gain elevated privileges via a Trojan horse Procmon64.exe in the user's Temp directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager *
CVE-2022-22700 MEDIUM

CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,

Products Affected

Vendor Product Version
cyberark identity *
CVE-2025-49827

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Products Affected

Vendor Product Version
cyberark conjur *
CVE-2025-49828

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue.

Products Affected

Vendor Product Version
cyberark conjur *
CVE-2025-49829

Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Products Affected

Vendor Product Version
cyberark conjur 13.6
cyberark conjur *
CVE-2025-49830

Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy yaml parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used as reconnaissance to better understand the folder structure of the Secrets Manager/Conjur server or to have the yaml parser include files on the server in the yaml that is processed as the policy loads. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Products Affected

Vendor Product Version
cyberark conjur 13.6
cyberark conjur *
CVE-2025-49831

An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue.

Products Affected

Vendor Product Version
cyberark conjur 13.6
cyberark conjur *
CVE-2025-66374

CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task.

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager *
CVE-2026-2914

CyberArk Endpoint Privilege Manager Agent versions 25.10.0 and lower allow potential unauthorized privilege elevation leveraging CyberArk elevation dialogs

Products Affected

Vendor Product Version
cyberark endpoint_privilege_manager *