CVE-2023-24546 - Vulnerability Details - OpenCVE

On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Arista	Cloudvision Portal

Configuration 1 [-]

OR	cpe:2.3:a:arista:cloudvision_portal::::::::
	cpe:2.3:a:arista:cloudvision_portal:2022.1.0:::::::*
	cpe:2.3:a:arista:cloudvision_portal:2022.1.1:::::::*
	cpe:2.3:a:arista:cloudvision_portal:2022.2.0:::::::*
	cpe:2.3:a:arista:cloudvision_portal:2022.2.1:::::::*
	cpe:2.3:a:arista:cloudvision_portal:2022.3.0:::::::*

No data.

References

Link	Providers
https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083

History

Mon, 06 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Arista

Published: 2023-06-13T00:00:00.000Z

Updated: 2025-01-06T15:36:36.113Z

Reserved: 2023-01-26T00:00:00.000Z

Link: CVE-2023-24546

Vulnrichment

Updated: 2024-08-02T11:03:17.792Z

NVD

Status : Modified

Published: 2023-06-13T21:15:09.867

Modified: 2025-01-06T16:15:25.363

Link: CVE-2023-24546

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-24546", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "assignerShortName": "Arista", "dateUpdated": "2025-01-06T15:36:36.113Z", "dateReserved": "2023-01-26T00:00:00.000Z", "datePublished": "2023-06-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2023-06-13T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service."}], "affected": [{"vendor": "n/a", "product": "CloudVision", "versions": [{"version": "<2021.1.0, <2021.2.0, <2021.3.0,", "status": "affected"}]}], "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "cwe-284", "cweId": "CWE-284"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:17.792Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T15:35:46.216946Z", "id": "CVE-2023-24546", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T15:36:36.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:17.792Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-24546", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-06T15:35:46.216946Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T15:36:29.129Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "CloudVision", "versions": [{"status": "affected", "version": "<2021.1.0, <2021.2.0, <2021.3.0,"}]}], "references": [{"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083"}], "descriptions": [{"lang": "en", "value": "On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "cwe-284"}]}], "providerMetadata": {"orgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "shortName": "Arista", "dateUpdated": "2023-06-13T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-24546", "state": "PUBLISHED", "dateUpdated": "2025-01-06T15:36:36.113Z", "dateReserved": "2023-01-26T00:00:00.000Z", "assignerOrgId": "c8b34d1a-69ae-45c3-88fe-f3b3d44f39b7", "datePublished": "2023-06-13T00:00:00.000Z", "assignerShortName": "Arista"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arista:cloudvision_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8E8D1BB-B7ED-4886-96A0-FD0C9EA666CC", "versionEndIncluding": "2021.3", "versionStartIncluding": "2021.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:arista:cloudvision_portal:2022.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F429F0B9-A090-434C-8576-182CC021B76A", "vulnerable": true}, {"criteria": "cpe:2.3:a:arista:cloudvision_portal:2022.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "FB325C9E-8116-434D-9865-DE494EC05F27", "vulnerable": true}, {"criteria": "cpe:2.3:a:arista:cloudvision_portal:2022.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "DF2BF57D-7677-4531-80F8-15842798FBA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:arista:cloudvision_portal:2022.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "08760308-AB42-496A-B473-98DAF7E4EDE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:arista:cloudvision_portal:2022.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "BF6936F8-946B-4A33-B1AD-76F0EFB65223", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision could enable a malicious actor with network access to CloudVision to get broader access to telemetry and configuration data within the system than intended. This advisory impacts the Arista CloudVision Portal product when run on-premise. It does not impact CloudVision as-a-Service."}], "id": "CVE-2023-24546", "lastModified": "2025-01-06T16:15:25.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-06-13T21:15:09.867", "references": [{"source": "psirt@arista.com", "tags": ["Vendor Advisory"], "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/17022-security-advisory-0083"}], "sourceIdentifier": "psirt@arista.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@arista.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}