Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-28496

On systems running Arista EOS and CloudEOS with the affected release version, when using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to other authenticated users on the device. The affected EOS Versions are: all releases in 4.22.x train, 4.23.9 and below releases in the 4.23.x train, 4.24.7 and below releases in the 4.24.x train, 4.25.4 and below releases in the 4.25.x train, 4.26.1 and below releases in the 4.26.x train

Published

2021-10-21T17:15:07.740

Last Modified

2024-11-21T05:59:46.883

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.7 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-311
Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	arista	eos	≤ 4.22.7m	Yes
Operating System	arista	eos	< 4.23.10	Yes
Operating System	arista	eos	< 4.24.8	Yes
Operating System	arista	eos	< 4.25.5	Yes
Operating System	arista	eos	< 4.26.2	Yes

References

https://www.arista.com/en/support/advisories-notices/security-advisories/13243-security-advisory-0069 Vendor Advisory ([email protected])
https://www.arista.com/en/support/advisories-notices/security-advisories/13243-security-advisory-0069 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)