Skip to main content

Eos CVE-2023-0451

HIGH
Improper Access Control (CWE-284)
2023-01-26 ics-cert@hq.dhs.gov
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 26, 2023 - 21:18 nvd
HIGH 7.5

DescriptionNVD

Econolite EOS versions prior to 3.2.23 lack a password requirement for gaining “READONLY” access to log files and certain database and configuration files. One such file contains tables with MD5 hashes and usernames for all defined users in the control software, including administrators and technicians.

AnalysisAI

Econolite EOS versions prior to 3.2.23 lack a password requirement for gaining “READONLY” access to log files and certain database and configuration files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-284. Econolite EOS versions prior to 3.2.23 lack a password requirement for gaining “READONLY” access to log files and certain database and configuration files. One such file contains tables with MD5 hashes and usernames for all defined users in the control software, including administrators and technicians. Affected products include: Econolite Eos. Version information: prior to 3.2.23.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Eos

View all
CVE-2017-14491 CRITICAL POC
9.8 Oct 04

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2026-7473 MEDIUM POC
6.9 Jun 05

Tunnel decapsulation logic in Arista EOS fails to verify the encapsulation protocol type, allowing any tunneled packet d

CVE-2015-5165 CRITICAL
9.3 Aug 12

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows

CVE-2023-24509 HIGH POC
7.8 Apr 13

On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundan

CVE-2015-3209 HIGH
7.5 Jun 15

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending

CVE-2015-8236 CRITICAL
10.0 Nov 19

Arista EOS before 4.11.12, 4.12 before 4.12.11, 4.13 before 4.13.14M, 4.14 before 4.14.5FX.5, and 4.15 before 4.15.0FX1.

CVE-2023-3646 HIGH POC
7.5 Aug 29

On affected platforms running Arista EOS with mirroring to multiple destinations configured, an internal system error ma

CVE-2023-24511 HIGH POC
7.5 Apr 12

On affected platforms running Arista EOS with SNMP configured, a specially crafted packet can cause a memory leak in the

CVE-2022-26300 HIGH POC
7.5 Mar 17

EOS v2.1.0 was discovered to contain a heap-buffer-overflow via the function txn_test_gen_plugin. Rated high severity (C

CVE-2020-15897 HIGH POC
7.5 Oct 26

Arista EOS before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attack

CVE-2019-17596 HIGH POC
7.5 Oct 24

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA

Share

CVE-2023-0451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy