CVE-2021-28496

MEDIUM

Arista Eos < 4.22.7m - Insufficiently Protected Credentials

Title source: rule

Description

On systems running Arista EOS and CloudEOS with the affected release version, when using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to other authenticated users on the device. The affected EOS Versions are: all releases in 4.22.x train, 4.23.9 and below releases in the 4.23.x train, 4.24.7 and below releases in the 4.24.x train, 4.25.4 and below releases in the 4.25.x train, 4.26.1 and below releases in the 4.26.x train

References (1)

[Vendor Advisory] https://www.arista.com/en/support/advisories-notices/security-advisories/13243-security-advisory-0069

Scores

CVSS v3 5.7

EPSS 0.0012

EPSS Percentile 31.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-522 CWE-311

Status published

Affected Products (1)

arista/eos < 4.22.7m

Timeline

Published Oct 21, 2021

Tracked Since Feb 18, 2026