CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18615
https://notcve.org/view.php?id=CVE-2019-18615
In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user passwords in plain text for certain API calls, potentially leading to user password exposure. This only affects CVP environments where: 1. Devices have enable mode passwords which are different from the user's login password, OR 2. There are configlet builders that use the Device class and specify username and password explicitly Application logs are not accessible or visible from the CVP GUI. Application logs can only be read by authorized users with privileged access to the VM hosting the CVP application. • https://www.arista.com/en/support/advisories-notices/security-advisories/9002-security-advisory-45 • CWE-312: Cleartext Storage of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 2CVE-2019-17596 – golang: invalid public key causes panic in dsa.Verify
https://notcve.org/view.php?id=CVE-2019-17596
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. Go versiones anteriores a 1.12.11 y versiones 1.3.x anteriores a 1.13.2, puede entrar en pánico tras intentar procesar el tráfico de red que contiene una clave pública DSA no válida. Existen varios escenarios de ataque, tal y como el tráfico de un cliente hacia un servidor que comprueba los certificados del cliente. • https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596 http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html https://access.redhat.com/errata/RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0329 https://github.com/golang/go/issues/34960 https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https& • CWE-295: Improper Certificate Validation CWE-436: Interpretation Conflict •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12357
https://notcve.org/view.php?id=CVE-2018-12357
Arista CloudVision Portal through 2018.1.1 has Incorrect Permissions. Arista CloudVision Portal versiones hasta 2018.1.1, presenta Permisos Incorrectos. • https://www.arista.com/en/support/advisories-notices https://www.arista.com/en/support/advisories-notices/security-advisories/5432-security-advisory-35 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9012
https://notcve.org/view.php?id=CVE-2016-9012
CloudVision Portal (CVP) before 2016.1.2.1 allows remote authenticated users to gain access to the internal configuration mechanisms via the management plane, related to a request to /web/system/console/bundle. CloudVision Portal (CVP) en versiones anteriores a 2016.1.2.1 permite a usuarios remotos autenticados obtener acceso a los mecanismos de configuración internos a través del plano de gestión, relacionados con una petición a /web/system/console/bundle. • http://www.securityfocus.com/bid/94635 https://www.arista.com/en/support/advisories-notices/security-advisories/2116-security-advisory-27 • CWE-264: Permissions, Privileges, and Access Controls •