CVE-2021-28497 (GCVE-0-2021-28497)
Vulnerability from cvelistv5 – Published: 2021-09-09 12:41 – Updated: 2024-08-03 21:47
VLAI?
Summary
In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train
Severity ?
4.4 (Medium)
CWE
- CWE-264 - Permissions, Privileges, and Access Controls
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Arista | Metamako Operating System |
Affected:
MOS-0.26.7 , < MOS-0.16.7
(custom)
Affected: MOS-0.32.0 , < MOS-0.32.0 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:32.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Arista 7130 Systems running MOS"
],
"product": "Metamako Operating System",
"vendor": "Arista",
"versions": [
{
"lessThan": "MOS-0.16.7",
"status": "affected",
"version": "MOS-0.26.7",
"versionType": "custom"
},
{
"lessThan": "MOS-0.32.0",
"status": "affected",
"version": "MOS-0.32.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Arista\u0027s MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264 Permissions, Privileges, and Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-09T12:41:37",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to MOS-0.26.7 or MOS-0.32.0\n"
},
{
"lang": "en",
"value": "Install hotfix stored at https://www.arista.com/assets/data/SecurityAdvisories/SA64-67/SecurityAdvisory64-67-Hotfix-mos-1818-2.0.0-1.11.core2_64.rpm\nFor detailed information about hotfix installation, please see the advisory https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@arista.com",
"ID": "CVE-2021-28497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metamako Operating System",
"version": {
"version_data": [
{
"platform": "Arista 7130 Systems running MOS",
"version_affected": "\u003c",
"version_name": "MOS-0.26.7",
"version_value": "MOS-0.16.7"
},
{
"platform": "Arista 7130 Systems running MOS",
"version_affected": "\u003c",
"version_name": "MOS-0.32.0",
"version_value": "MOS-0.32.0"
}
]
}
}
]
},
"vendor_name": "Arista"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Arista\u0027s MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264 Permissions, Privileges, and Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65",
"refsource": "MISC",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to MOS-0.26.7 or MOS-0.32.0\n"
},
{
"lang": "en",
"value": "Install hotfix stored at https://www.arista.com/assets/data/SecurityAdvisories/SA64-67/SecurityAdvisory64-67-Hotfix-mos-1818-2.0.0-1.11.core2_64.rpm\nFor detailed information about hotfix installation, please see the advisory https://www.arista.com/en/support/advisories-notices/security-advisories/12912-security-advisory-64"
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2021-28497",
"datePublished": "2021-09-09T12:41:37",
"dateReserved": "2021-03-16T00:00:00",
"dateUpdated": "2024-08-03T21:47:32.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:arista:metamako_operating_system:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"0.26.6\", \"matchCriteriaId\": \"2EB89E3B-DBD9-433C-BF75-DF055380A9F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:arista:metamako_operating_system:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.31.0\", \"versionEndExcluding\": \"0.32.0\", \"matchCriteriaId\": \"C66AFCAE-47B5-47D5-96AF-C0986611A4C0\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:arista:7130:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D832798-DA45-4F9E-AA31-5D088253A28A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In Arista\u0027s MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train\"}, {\"lang\": \"es\", \"value\": \"En el software MOS (Sistema Operativo Metamako) de Arista, que es compatible con la l\\u00ednea de productos 7130, en determinadas condiciones, el shell bash podr\\u00eda ser accesible a usuarios no privilegiados en situaciones en las que no deber\\u00edan tener acceso. Este problema afecta a: Sistema Operativo Metamako de Arista Todas las versiones MOS-0.1x train MOS-0.26.6 y versiones inferiores en MOS-0.2x train MOS-0.31.1 y versiones inferiores en MOS-0.3x train\"}]",
"id": "CVE-2021-28497",
"lastModified": "2024-11-21T05:59:47.043",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@arista.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\", \"baseScore\": 4.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.9, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-09-09T13:15:09.210",
"references": "[{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65\", \"source\": \"psirt@arista.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@arista.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@arista.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-28497\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2021-09-09T13:15:09.210\",\"lastModified\":\"2024-11-21T05:59:47.043\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Arista\u0027s MOS (Metamako Operating System) software which is supported on the 7130 product line, under certain conditions, the bash shell might be accessible to unprivileged users in situations where they should not have access. This issue affects: Arista Metamako Operating System All releases in the MOS-0.1x train MOS-0.26.6 and below releases in the MOS-0.2x train MOS-0.31.1 and below releases in the MOS-0.3x train\"},{\"lang\":\"es\",\"value\":\"En el software MOS (Sistema Operativo Metamako) de Arista, que es compatible con la l\u00ednea de productos 7130, en determinadas condiciones, el shell bash podr\u00eda ser accesible a usuarios no privilegiados en situaciones en las que no deber\u00edan tener acceso. Este problema afecta a: Sistema Operativo Metamako de Arista Todas las versiones MOS-0.1x train MOS-0.26.6 y versiones inferiores en MOS-0.2x train MOS-0.31.1 y versiones inferiores en MOS-0.3x train\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:arista:metamako_operating_system:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"0.26.6\",\"matchCriteriaId\":\"2EB89E3B-DBD9-433C-BF75-DF055380A9F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:arista:metamako_operating_system:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.31.0\",\"versionEndExcluding\":\"0.32.0\",\"matchCriteriaId\":\"C66AFCAE-47B5-47D5-96AF-C0986611A4C0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:arista:7130:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D832798-DA45-4F9E-AA31-5D088253A28A\"}]}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65\",\"source\":\"psirt@arista.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisories/12913-security-advisory-65\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…