CVE-2021-28499

In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, user account passwords set in clear text could leak to users without any password. This issue affects: Arista Metamako Operating System MOS-0.18 and post releases in the MOS-0.1x train All releases in the MOS-0.2x train MOS-0.31.1 and prior releases in the MOS-0.3x train

CVSS v3 6.3 MEDIUM
CVSS v2.0 2.1 LOW

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.0 / Impact : 3.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64	Mitigation Vendor Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:arista:metamako_operating_system::::::::
	cpe:2.3:o:arista:metamako_operating_system::::::::

cpe:2.3:h:arista:7130:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:59

Type	Values Removed	Values Added
CVSS	v2 : ~~2.1~~ v3 : ~~5.5~~	v2 : 2.1 v3 : 6.3
References	~~() https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64 - Mitigation, Vendor Advisory~~	() https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64 - Mitigation, Vendor Advisory

Information

Published : 2021-09-09 13:15

Updated : 2024-11-21 05:59

NVD link : CVE-2021-28499

Mitre link : CVE-2021-28499

CVE.ORG link : CVE-2021-28499

JSON object : View

Products Affected

arista

metamako_operating_system
7130

CWE

CWE-255

Credentials Management Errors

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2021-28499", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@arista.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2021-09-09T13:15:09.620", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64", "tags": ["Mitigation", "Vendor Advisory"], "source": "psirt@arista.com"}, {"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64", "tags": ["Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@arista.com", "description": [{"lang": "en", "value": "CWE-255"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, user account passwords set in clear text could leak to users without any password. This issue affects: Arista Metamako Operating System MOS-0.18 and post releases in the MOS-0.1x train All releases in the MOS-0.2x train MOS-0.31.1 and prior releases in the MOS-0.3x train"}, {"lang": "es", "value": "En el software MOS (Metamako Operating System) de Arista, que es compatible con la l\u00ednea de productos 7130, las contrase\u00f1as de las cuentas de usuario ajustadas en texto sin cifrar podr\u00edan filtrarse a usuarios sin contrase\u00f1a. Este problema afecta: Sistema Operativo Metamako de Arista MOS-0.18 y versiones posteriores MOS-0.1x train Todas las versiones en MOS-0.2x train MOS-0.31.1 y versiones anteriores en MOS-0.3x train"}], "lastModified": "2024-11-21T05:59:47.303", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:arista:metamako_operating_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BE6E4B1-F1AD-4187-B235-838C04F715FD", "versionEndIncluding": "0.18.0", "versionStartIncluding": "0.10.0"}, {"criteria": "cpe:2.3:o:arista:metamako_operating_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E289CB70-0C19-4CC6-A6E0-202A207A22A2", "versionEndExcluding": "0.32.0", "versionStartIncluding": "0.20.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:arista:7130:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4D832798-DA45-4F9E-AA31-5D088253A28A"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@arista.com"}

6.3 /10