Arista Networks Cloudvision Portal vulnerabilities

CVE-2024-12378 [CRITICAL] CWE-319 CVE-2024-12378: On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agen On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear.

CVE-2024-11186 [CRITICAL] CWE-287 CVE-2024-11186: On affected versions of the CloudVision Portal, improper access controls could enable a malicious au On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service.

CVE-2025-0505 [CRITICAL] CWE-269 CVE-2025-0505: On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected.

CVE-2022-29071 [MEDIUM] CWE-200 CVE-2022-29071: This advisory documents an internally found vulnerability in the on premises deployment model of Ari This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs. The impact of this vulnerability is that the CVP user login passwords might be leaked to other authenticated users.