CVE-2021-37151: 
NixOS vulnerability analysis and mitigation

CyberArk Identity 21.5.131 contains a username enumeration vulnerability discovered in September 2021. The vulnerability occurs when handling invalid authentication attempts, where the system sometimes reveals whether a username is valid. Specifically, in certain authentication policy configurations with Multi-Factor Authentication (MFA), the API response length can be used to differentiate between valid and invalid users (NVD).

The vulnerability is tracked as CVE-2021-37151 and has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-203 (Observable Discrepancy). The issue specifically manifests in the API response length differences during authentication attempts when MFA is configured (NVD).

The vulnerability enables attackers to enumerate usernames of valid application users. This information disclosure can be leveraged to conduct brute-force and dictionary attacks to discover valid account credentials such as passwords. The ability to confirm valid usernames significantly reduces the scope of potential brute-force attacks, making them more efficient (NVD).

Organizations using CyberArk Identity 21.5.131 should upgrade to a patched version of the software. The specific version containing the fix was not publicly disclosed in the available sources (CyberArk Products).