CVE-2024-27889
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Multiple SQL Injection vulnerabilities exist in the reporting application of the Arista Edge Threat Management - Arista NG Firewall (NGFW). A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Arista Networks | Arista Edge Threat Management - Arista NG Firewall (NGFW) | 0 <= 17.0 | affected |
Weaknesses
- CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Workarounds
For the Reports application, for all Reports Users, disable Online Access. To do this:
2. As the NGFW administrator, log into the UI and go to the Reports application.
3. For all users with the Online Access checkbox (red box) enabled, uncheck it.
4. Click Save.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.