CVE-2021-28500
CRITICALArista EOS < 4.20 - Unauthenticated Unrestricted Device Access via OpenConfig and TerminAttr AAA API Misuse
Title source: llmDescription
An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.
References (1)
Core 1
Core References
Exploit, Mitigation, Patch, Vendor Advisory x_refsource_misc
https://www.arista.com/en/support/advisories-notices/security-advisories/13449-security-advisory-0071
Scores
CVSS v3
9.1
EPSS
0.0087
EPSS Percentile
54.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-285
Status
published
Products (1)
arista/eos
< 4.20
Published
Jan 14, 2022
Tracked Since
Feb 18, 2026