Information disclosure in Arista Extensible Operating System (EOS) - CVE-2021-28496
Published: May 17, 2025
Vulnerability identifier: #VU109296
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-28496
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Arista Networks
Affected software:
Arista Extensible Operating System (EOS)
Arista Extensible Operating System (EOS)
Detailed vulnerability description
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. When using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the device.
How to mitigate CVE-2021-28496
Install updates from vendor's website.