CVE-2024-9134

Summary

Multiple SQL Injection vulnerabilities exist in the reporting application. A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.

Affected Software

VendorProductVersion RangeStatus
Arista NetworksArista Edge Threat Management17.1.0 <= 17.1.1affected

Weaknesses

  • CWE-89: CWE-89

Workarounds

For the Reports application, for all Reports Users, disable Online Access.

To do this:

  • As the NGFW administrator, log into the UI and go to the Reports application.
  • For all users with the Online Access checkbox (red box) enabled, uncheck it.
  • Click Save.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References