CVE-2021-28500

Published: Jan 14, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.

Affected (7)

Products: Arista: Eos

Arista

1 product

Eos

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Arista Eos	Before 4.20
Arista Eos	From 4.21.0 to 4.21.14m
Arista Eos	From 4.22.0 to 4.22.11m
Arista Eos	From 4.23.0 to 4.23.8m
Arista Eos	From 4.24.6.0 to 4.24.6m
Arista Eos	From 4.25.0 to 4.25.4m
Arista Eos	From 4.26.0 to 4.26.1f

Related CWEs

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Source: psirt@arista.com

ExploitMitigationPatchVendor Advisory

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationPatchVendor Advisory

Timeline

No history available yet.