CVE-2021-20569

Vulnerability

IBM Security Secret Server (also known as IBM Security Verify Privilege Vault) up to version 11.0 contains an improper input validation vulnerability [1]. This flaw allows an attacker to enumerate usernames by sending crafted requests to the server. The issue is fixed in version 11.0 [1].

Exploitation

An unauthenticated attacker with network access to the server can exploit this vulnerability without requiring any privileges or user interaction [1]. The attack complexity is low, as the server responds differently to valid vs. invalid usernames, enabling enumeration through a series of probing requests [1].

Impact

Successful exploitation allows the attacker to identify valid usernames on the system [1]. This information can be used to mount further targeted attacks, such as password guessing or social engineering. The confidentiality impact is low, and there is no impact on integrity or availability [1].

Mitigation

The vulnerability is addressed in IBM Security Verify Privilege Vault (IBM Security Secret Server) version 11.0 [1]. Organizations should upgrade to this version or later to mitigate the risk. No workarounds are documented in the available references.