CVE-2025-1259 — Improper Access Control in Networks EOS

CWE-284 — Improper Access Control CWE-1259 — Improper Restriction of Security Token Assignment4 documents4 sources

Severity

7.7HIGHNVD

EPSS

0.1%

top 64.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arista Networks EOS

Timeline

PublishedMar 4

Description

On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected. This issue can result in users retrieving data that should not have been available

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages1 packages

▶CVEListV5arista_networks/eos4.33.0 — 4.33.1+5

🔴Vulnerability Details

CVEList

On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected.↗2025-03-04

▶

GHSA

GHSA-wf49-mp4g-xcg4: On affected platforms running Arista EOS with OpenConfig configured, a gNOI request can be run when it should have been rejected↗2025-03-04

▶

📋Vendor Advisories

Microsoft

AAD Pod Identity obtaining token with backslash↗2022-12-13

▶