Cloudvision Portal
CVE-2022-29071
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs. The impact of this vulnerability is that the CVP user login passwords might be leaked to other authenticated users.
AnalysisAI
This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. This advisory documents an internally found vulnerability in the on premises deployment model of Arista CloudVision Portal (CVP) where under a certain set of conditions, user passwords can be leaked in the Audit and System logs. The impact of this vulnerability is that the CVP user login passwords might be leaked to other authenticated users. Affected products include: Arista Cloudvision Portal.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Cloudvision Portal
View allGo before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only” or greater access rig
CloudVision Portal (CVP) before 2016.1.2.1 allows remote authenticated users to gain access to the internal configuratio
On affected versions of the CloudVision Portal improper access controls on the connection from devices to CloudVision co
In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train allows users with read-only permissions to bypass
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel
In CloudVision Portal (CVP) for all releases in the 2018.2 Train, under certain conditions, the application logs user pa
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today