9 results (0.009 seconds)

CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0

On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service. • https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs. The impact of this vulnerability is that the CVP user login passwords might be leaked to other authenticated users. Este aviso documenta una vulnerabilidad encontrada internamente en el modelo de despliegue on premises de Arista CloudVision Portal (CVP) en el que, bajo un determinado conjunto de condiciones, las contraseñas de los usuarios pueden filtrarse en los registros de auditoría y del sistema. El impacto de esta vulnerabilidad es que las contraseñas de inicio de sesión de los usuarios de CVP podrían filtrarse a otros usuarios autenticados • https://www.arista.com/en/support/advisories-notices/security-advisory/15865-security-advisory-0079 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only” or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing a specific API. Una vulnerabilidad en CloudVision Portal (CVP) de Arista versiones anteriores a 2020.2, permite a usuarios con derechos de acceso "read-only" o superiores en el módulo Configlet Management descargar archivos no previstos para acceso, ubicados en el servidor CVP, mediante el acceso a una API específica • https://www.arista.com/en/support/advisories-notices https://www.arista.com/en/support/advisories-notices/security-advisories/11706-security-advisory-51 •

CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0

In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used. En el archivo support.c en pam_tacplus versiones 1.3.8 hasta 1.5.1, el secreto compartido TACACS+ es registrado por medio de syslog si el nivel de registro DEBUG y journald son usados • http://www.openwall.com/lists/oss-security/2020/06/08/1 https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 https://github.com/kravietz/pam_tacplus/issues/149 https://lists.debian.org/debian-lts-announce/2020/06/msg00007.html https://lists.debian.org/debian-lts-announce/2021/08/msg00006.html https://usn.ubuntu.com/4521-1 https://www.arista.com/en/support/advisories-notices/security-advisories/11705-security-advisory-50 • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0

In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train allows users with read-only permissions to bypass permissions for restricted functionality via CVP API calls through the Configlet Builder modules. This vulnerability can potentially enable authenticated users with read-only access to take actions that are otherwise restricted in the GUI. En CloudVision Portal, todos las versiones en el tren de Code versiones 2018.1 y 2018.2, permiten a usuarios con permisos de solo lectura omitir los permisos para la funcionalidad restringida por medio de llamadas a la API CVP por medio de los módulos de Configlet Builder. Esta vulnerabilidad puede permitir a usuarios autenticados con acceso de solo lectura tomar acciones que de otro modo estarían restringidas en la GUI. • https://www.arista.com/en/support/advisories-notices/security-advisories/9001-security-advisory-44 •