CVE-2021-28507

Exploit

EPSS 0.14%
Published 14.01.2022 20:15:10
Last modified 21.11.2024 05:59:48
Source psirt@arista.com
Teams watchlist Login
Open Login

An issue has recently been discovered in Arista EOS where, under certain conditions, the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF might be bypassed, which results in the denied requests being forwarded to the agent.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Arista ≫ Eos Version >= 4.23.0 <= 4.23.9m

Arista ≫ Eos Version >= 4.24.0 <= 4.24.7m

Arista ≫ Eos Version >= 4.25.0 <= 4.25.3

Arista ≫ Eos Version >= 4.25.4 <= 4.25.4m

Arista ≫ Eos Version >= 4.25.5 <= 4.25.5.1m

Arista ≫ Eos Version >= 4.26.0 <= 4.26.2f

Arista ≫ Eos Version4.21.0f

Arista ≫ Eos Version4.21.1f

Arista ≫ Eos Version4.21.3f

Arista ≫ Eos Version4.22.0f

Arista ≫ Eos Version4.22.1f

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.348

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvd@nist.gov	4.9	6.8	4.9	AV:N/AC:M/Au:S/C:P/I:P/A:N
psirt@arista.com	5.5	1.2	4.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071

Patch

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2021-28507

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28507

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28507

EUVD