CVE-2021-28496

CWE-311 CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 68.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arista Networks Arista EOS Arista EOS

Timeline

PublishedOct 21

Latest updateMay 24

Description

On systems running Arista EOS and CloudEOS with the affected release version, when using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to other authenticated users on the device. The affected EOS Versions are: all releases in 4.22.x train, 4.23.9 and below releases in the 4.23.x train, 4.24.7 and below releases in the 4.24.x train, 4.25.4 and below releases in the 4.25.x tra…

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

▶NVDarista/eos4.23 — 4.23.10+4

▶CVEListV5arista_networks/arista_eosEOS-4.23 — EOS-4.23.10+4

🔴Vulnerability Details

GHSA

GHSA-v5xw-5jg8-4q3j: On systems running Arista EOS and CloudEOS with the affected release version, when using shared secret profiles the password configured for use by BiD↗2022-05-24

▶

CVEList

In Arista's EOS software affected releases, the shared secret profiles sensitive configuration might be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the devi↗2021-10-21

▶