CVE-2019-18615Cleartext Storage of Sensitive Info in Cloudvision Portal

CWE-312Cleartext Storage of Sensitive InfoCWE-522Insufficiently Protected Credentials3 documents3 sources
Severity
4.9MEDIUMNVD
EPSS
0.1%
top 72.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Arista Cloudvision Portal
Timeline
PublishedDec 19
Latest updateMay 24

Description

In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible fro

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages1 packages

NVDarista/cloudvision_portal2018.2.02018.2.3

🔴Vulnerability Details

2
GHSA
GHSA-jmhx-5gvj-3fgw: In CloudVision Portal (CVP) for all releases in the 20182022-05-24
CVEList
CVE-2019-18615: In CloudVision Portal (CVP) for all releases in the 20182019-12-19
CVE-2019-18615 — Cleartext Storage of Sensitive Info | cvebase