Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has identified a critical security vulnerability in versions 8.2.1 – 8.5.2 of Pega Infinity. Pega has created the A21 Hotfix for each relevant version to remediate this issue. 

If you are an on–premise client, please review the table below to determine which hotfix corresponds to your Pegasystems installation. Once you have determined the appropriate hotfix ID, please submit a hotfix request using My Support Portal.  Pega Cloud® environments running the relevant Pega versions are being proactively remediated by Pega. 

As always, we recommend our customers review our Security Checklist regularly.

CVE Details:

Software/Product: Pega Infinity

Version: 8.2.1-8.5.2

CVE ID: CVE-2021- 27651

Description: Password reset functionality for local accounts can be used to bypass local authentication checks.