CVE-2021-28503

Description

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected products

Arista Networks / Arista EOSEOS-4.23 – EOS-4.23.10
Arista Networks / Arista EOSEOS-4.24 – EOS-4.24.8
Arista Networks / Arista EOSEOS-4.25 – EOS-4.25.6
Arista Networks / Arista EOSEOS-4.26 – EOS-4.26.3

References

VENDOR_ADVISORYhttps://www.arista.com/en/support/advisories-notices/security-advisories/13605-security-advisory-0072