CVE-2024-11186
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | CloudVision Portal | 2024.3.0 | affected |
| Arista Networks | CloudVision Portal | 2024.2.0 <= 2024.2.1 | affected |
| Arista Networks | CloudVision Portal | 2024.1.0 <= 2024.1.2 | affected |
| Arista Networks | CloudVision Portal | 2023.3 | affected |
| Arista Networks | CloudVision Portal | 2023.2 | affected |
| Arista Networks | CloudVision Portal | 2023.1 | affected |
| Arista Networks | CloudVision Portal | 2022.3 | affected |
| Arista Networks | CloudVision Portal | 2022.2 | affected |
| Arista Networks | CloudVision Portal | 2022.1 | affected |
| Arista Networks | CloudVision Portal | 2021.3 | affected |
| Arista Networks | CloudVision Portal | 2021.2 | affected |
| Arista Networks | CloudVision Portal | 2021.1 | affected |
| Arista Networks | CloudVision Portal | 2020.3 | affected |
| Arista Networks | CloudVision Portal | 2020.2 | affected |
| Arista Networks | CloudVision Portal | 2020.1 | affected |
| Arista Networks | CloudVision Portal | 2019.1 | affected |
| Arista Networks | CloudVision Portal | 2018.2 | affected |
| Arista Networks | CloudVision Portal | 2018.1 | affected |
| Arista Networks | CloudVision Portal | 2017.2 | affected |
Weaknesses
- CWE-287: CWE-287 Improper Authentication
Workarounds
The workaround is to append the following to /etc/nginx/conf.d/locations/cvp.https.conf on all CVP nodes:
location ^~ /cvpservice/di/ { return 404; }
Then restart nginx by running the following command on any node:
nginx-app.sh reload
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.