CVE-2021-28506

Published: Jan 14, 2022Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.

Affected (5)

Products: Arista: Eos

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Arista Eos	From 4.24.0 to 4.24.7m
Arista Eos	From 4.25.0 to 4.25.3
Arista Eos	From 4.25.4 to 4.25.4m
Arista Eos	From 4.25.5 to 4.25.5.1m
Arista Eos	From 4.26.0 to 4.26.2f

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Source: psirt@arista.com

ExploitMitigationPatchVendor Advisory

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationPatchVendor Advisory

Timeline

No history available yet.