Search criteria
2 vulnerabilities found for CloudVision by Arista Networks
CVE-2024-8100 (GCVE-0-2024-8100)
Vulnerability from cvelistv5 – Published: 2025-05-08 18:31 – Updated: 2025-05-08 18:57
VLAI?
Title
On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
Summary
On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
Severity ?
8.7 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista Networks | CloudVision |
Affected:
2024.3.0
(custom)
Affected: 2024.0 , ≤ 2024.2 (custom) Affected: 2023.3.0 , ≤ 2023.3.1 (custom) Affected: 2023.0 , ≤ 2023.2 (custom) Affected: 2022 (custom) Affected: 2021 (custom) Affected: 2020 (custom) Affected: 2019 (custom) Affected: 2018 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:56:57.041097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:57:09.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CloudVision",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "2024.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.2",
"status": "affected",
"version": "2024.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2023.3.1",
"status": "affected",
"version": "2023.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2023.2",
"status": "affected",
"version": "2023.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"status": "affected",
"version": "2021",
"versionType": "custom"
},
{
"status": "affected",
"version": "2020",
"versionType": "custom"
},
{
"status": "affected",
"version": "2019",
"versionType": "custom"
},
{
"status": "affected",
"version": "2018",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo specific configuration is required to be vulnerable to CVE-2024-8100.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "No specific configuration is required to be vulnerable to CVE-2024-8100."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:31:39.114Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21316-security-advisory-0116"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/support/software-download\"\u003eCVP Software downloads\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eCVE-2024-8100 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e2024.1.3 and later releases in the 2024.1.x train\u003c/li\u003e\u003cli\u003e2024.2.2 and later releases in the 2024.2.x train\u003c/li\u003e\u003cli\u003e2024.3.1 and later releases in the 2024.3.x train\u003c/li\u003e\u003cli\u003e2025.1.0 and later releases in the 2025.1.x train\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see CVP Software downloads https://www.arista.com/en/support/software-download \n\n\u00a0\n\nCVE-2024-8100 has been fixed in the following releases:\n\n * 2024.1.3 and later releases in the 2024.1.x train\n * 2024.2.2 and later releases in the 2024.2.x train\n * 2024.3.1 and later releases in the 2024.3.x train\n * 2025.1.0 and later releases in the 2025.1.x train"
}
],
"source": {
"advisory": "116",
"defect": [
"BUG 994965"
],
"discovery": "INTERNAL"
},
"title": "On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBest practice is for generated device onboarding tokens to be valid for a limited time duration, and for the Device Onboarding permission which allows the generation of these tokens to only be granted to trusted users.\u003c/p\u003e\u003cp\u003eSuccessful exploit generally requires one of the following:\u003c/p\u003e\u003col\u003e\u003cli\u003eA rogue or compromised internal user with Device enrollment read/write permissions\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOR,\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003col\u003e\u003cli\u003eA valid device onboarding token that is easily accessible beyond the expected set of trusted users\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIf all users with Device Onboarding privileges are trusted, and onboarding tokens are properly secured, then the risk of this issue is limited.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Best practice is for generated device onboarding tokens to be valid for a limited time duration, and for the Device Onboarding permission which allows the generation of these tokens to only be granted to trusted users.\n\nSuccessful exploit generally requires one of the following:\n\n * A rogue or compromised internal user with Device enrollment read/write permissions\nOR,\n\n\u00a0\n\n * A valid device onboarding token that is easily accessible beyond the expected set of trusted users\nIf all users with Device Onboarding privileges are trusted, and onboarding tokens are properly secured, then the risk of this issue is limited."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-8100",
"datePublished": "2025-05-08T18:31:39.114Z",
"dateReserved": "2024-08-22T18:18:50.804Z",
"dateUpdated": "2025-05-08T18:57:09.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8100 (GCVE-0-2024-8100)
Vulnerability from nvd – Published: 2025-05-08 18:31 – Updated: 2025-05-08 18:57
VLAI?
Title
On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
Summary
On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.
Severity ?
8.7 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista Networks | CloudVision |
Affected:
2024.3.0
(custom)
Affected: 2024.0 , ≤ 2024.2 (custom) Affected: 2023.3.0 , ≤ 2023.3.1 (custom) Affected: 2023.0 , ≤ 2023.2 (custom) Affected: 2022 (custom) Affected: 2021 (custom) Affected: 2020 (custom) Affected: 2019 (custom) Affected: 2018 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:56:57.041097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:57:09.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CloudVision",
"vendor": "Arista Networks",
"versions": [
{
"status": "affected",
"version": "2024.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.2",
"status": "affected",
"version": "2024.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2023.3.1",
"status": "affected",
"version": "2023.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2023.2",
"status": "affected",
"version": "2023.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "2022",
"versionType": "custom"
},
{
"status": "affected",
"version": "2021",
"versionType": "custom"
},
{
"status": "affected",
"version": "2020",
"versionType": "custom"
},
{
"status": "affected",
"version": "2019",
"versionType": "custom"
},
{
"status": "affected",
"version": "2018",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo specific configuration is required to be vulnerable to CVE-2024-8100.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "No specific configuration is required to be vulnerable to CVE-2024-8100."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T18:31:39.114Z",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21316-security-advisory-0116"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.arista.com/en/support/software-download\"\u003eCVP Software downloads\u003c/a\u003e\u003c/p\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eCVE-2024-8100 has been fixed in the following releases:\u003c/div\u003e\u003cul\u003e\u003cli\u003e2024.1.3 and later releases in the 2024.1.x train\u003c/li\u003e\u003cli\u003e2024.2.2 and later releases in the 2024.2.x train\u003c/li\u003e\u003cli\u003e2024.3.1 and later releases in the 2024.3.x train\u003c/li\u003e\u003cli\u003e2025.1.0 and later releases in the 2025.1.x train\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below. For more information about upgrading see CVP Software downloads https://www.arista.com/en/support/software-download \n\n\u00a0\n\nCVE-2024-8100 has been fixed in the following releases:\n\n * 2024.1.3 and later releases in the 2024.1.x train\n * 2024.2.2 and later releases in the 2024.2.x train\n * 2024.3.1 and later releases in the 2024.3.x train\n * 2025.1.0 and later releases in the 2025.1.x train"
}
],
"source": {
"advisory": "116",
"defect": [
"BUG 994965"
],
"discovery": "INTERNAL"
},
"title": "On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eBest practice is for generated device onboarding tokens to be valid for a limited time duration, and for the Device Onboarding permission which allows the generation of these tokens to only be granted to trusted users.\u003c/p\u003e\u003cp\u003eSuccessful exploit generally requires one of the following:\u003c/p\u003e\u003col\u003e\u003cli\u003eA rogue or compromised internal user with Device enrollment read/write permissions\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOR,\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003c/div\u003e\u003col\u003e\u003cli\u003eA valid device onboarding token that is easily accessible beyond the expected set of trusted users\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eIf all users with Device Onboarding privileges are trusted, and onboarding tokens are properly secured, then the risk of this issue is limited.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Best practice is for generated device onboarding tokens to be valid for a limited time duration, and for the Device Onboarding permission which allows the generation of these tokens to only be granted to trusted users.\n\nSuccessful exploit generally requires one of the following:\n\n * A rogue or compromised internal user with Device enrollment read/write permissions\nOR,\n\n\u00a0\n\n * A valid device onboarding token that is easily accessible beyond the expected set of trusted users\nIf all users with Device Onboarding privileges are trusted, and onboarding tokens are properly secured, then the risk of this issue is limited."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2024-8100",
"datePublished": "2025-05-08T18:31:39.114Z",
"dateReserved": "2024-08-22T18:18:50.804Z",
"dateUpdated": "2025-05-08T18:57:09.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}