CVE-2023-24509

CWE-269Improper Privilege Management3 documents3 sources
Severity
7.8HIGH
EPSS
0.1%
top 80.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Arista EOSArista Networks Arista EOS
Timeline
PublishedApr 13

Description

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading to a privilege escalation. Valid user credentials are required in order to exploit this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.5 | Impact: 6.0

Affected Packages2 packages

NVDarista/eos4.24.04.24.11m+5
CVEListV5arista_networks/arista_eos4.28.04.28.3M+5

🔴Vulnerability Details

2
GHSA
GHSA-w53j-gpf9-387j: On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RP2023-04-13
CVEList
On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login 2023-04-13