9.8

CVE-2021-28503

In Arista's EOS software affected releases, eAPI might skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AristaEos Version >= 4.22 <= 4.22.9m
AristaEos Version >= 4.23 <= 4.23.9
AristaEos Version >= 4.24 <= 4.24.7
AristaEos Version >= 4.25 <= 4.25.5
AristaEos Version >= 4.26 <= 4.26.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.4% 0.603
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
psirt@arista.com 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.