CVE-2023-24546 (GCVE-0-2023-24546)
Vulnerability from cvelistv5 – Published: 2023-06-13 00:00 – Updated: 2025-01-06 15:36
VLAI?
Summary
On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service.
Severity ?
8.1 (High)
CWE
- CWE-284 - cwe-284
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | CloudVision |
Affected:
<2021.1.0, <2021.2.0, <2021.3.0,
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:17.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T15:35:46.216946Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T15:36:36.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CloudVision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c2021.1.0, \u003c2021.2.0, \u003c2021.3.0,"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "cwe-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-13T00:00:00",
"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"shortName": "Arista"
},
"references": [
{
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7",
"assignerShortName": "Arista",
"cveId": "CVE-2023-24546",
"datePublished": "2023-06-13T00:00:00",
"dateReserved": "2023-01-26T00:00:00",
"dateUpdated": "2025-01-06T15:36:36.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:arista:cloudvision_portal:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2021.1\", \"versionEndIncluding\": \"2021.3\", \"matchCriteriaId\": \"A8E8D1BB-B7ED-4886-96A0-FD0C9EA666CC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:arista:cloudvision_portal:2022.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F429F0B9-A090-434C-8576-182CC021B76A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:arista:cloudvision_portal:2022.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FB325C9E-8116-434D-9865-DE494EC05F27\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:arista:cloudvision_portal:2022.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DF2BF57D-7677-4531-80F8-15842798FBA2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:arista:cloudvision_portal:2022.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"08760308-AB42-496A-B473-98DAF7E4EDE1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:arista:cloudvision_portal:2022.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BF6936F8-946B-4A33-B1AD-76F0EFB65223\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service.\"}]",
"id": "CVE-2023-24546",
"lastModified": "2025-01-06T16:15:25.363",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
"published": "2023-06-13T21:15:09.867",
"references": "[{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083\", \"source\": \"psirt@arista.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@arista.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@arista.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-24546\",\"sourceIdentifier\":\"psirt@arista.com\",\"published\":\"2023-06-13T21:15:09.867\",\"lastModified\":\"2025-01-06T16:15:25.363\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"psirt@arista.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:arista:cloudvision_portal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2021.1\",\"versionEndIncluding\":\"2021.3\",\"matchCriteriaId\":\"A8E8D1BB-B7ED-4886-96A0-FD0C9EA666CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:arista:cloudvision_portal:2022.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F429F0B9-A090-434C-8576-182CC021B76A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:arista:cloudvision_portal:2022.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB325C9E-8116-434D-9865-DE494EC05F27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:arista:cloudvision_portal:2022.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF2BF57D-7677-4531-80F8-15842798FBA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:arista:cloudvision_portal:2022.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"08760308-AB42-496A-B473-98DAF7E4EDE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:arista:cloudvision_portal:2022.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF6936F8-946B-4A33-B1AD-76F0EFB65223\"}]}]}],\"references\":[{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083\",\"source\":\"psirt@arista.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:03:17.792Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-24546\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-06T15:35:46.216946Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-06T15:36:29.129Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"CloudVision\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c2021.1.0, \u003c2021.2.0, \u003c2021.3.0,\"}]}], \"references\": [{\"url\": \"https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"cwe-284\"}]}], \"providerMetadata\": {\"orgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"shortName\": \"Arista\", \"dateUpdated\": \"2023-06-13T00:00:00\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-24546\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-06T15:36:36.113Z\", \"dateReserved\": \"2023-01-26T00:00:00\", \"assignerOrgId\": \"c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7\", \"datePublished\": \"2023-06-13T00:00:00\", \"assignerShortName\": \"Arista\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…