Vulnerability Details : CVE-2021-28501
An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2021-28501
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-28501
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
Arista Networks, Inc. |
CWE ids for CVE-2021-28501
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: psirt@arista.com (Secondary)
References for CVE-2021-28501
-
https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071
Security Advisory 0071 - AristaExploit;Mitigation;Patch;Vendor Advisory
Products affected by CVE-2021-28501
- cpe:2.3:a:arista:terminattr:*:*:*:*:*:*:*:*