免费扫描
CRITICALCVE-2024-11186CVSS 10

受影响版本的 CloudVision Portal 中,不当的访问控制可能允许恶意经过身份验证的用户对管理的 EOS 设备执行超出预期范围的操作。此公告影响在本地运行的 Arista CloudVision Portal 产品。

平台

other

组件

cloudvision-portal

修复版本

2024.3.1

2024.2.2

2024.1.3

2023.3.1

2023.2.1

2023.1.1

2022.3.1

2022.2.1

2022.1.1

2021.3.1

2021.2.1

2021.1.1

2020.3.1

2020.2.1

2020.1.1

2019.1.1

2018.2.1

2018.1.1

2017.2.1

AI Confidence: highNVDEPSS 0.3%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2024-11186 describes an improper access control vulnerability in Arista CloudVision Portal. This flaw allows authenticated malicious users to exceed their intended permissions and perform broader actions on managed EOS devices. The vulnerability affects on-premise deployments of CloudVision Portal running versions 2021.3 through 2024.3.0. A fix is available in version 2024.3.1.

影响与攻击场景翻译中…

The impact of CVE-2024-11186 is significant due to the potential for privilege escalation and unauthorized device management. An attacker who has successfully authenticated to the CloudVision Portal could leverage this vulnerability to modify configurations, disable security features, or even take control of managed EOS devices. This could lead to widespread network disruption, data breaches, and compromise of sensitive information. The scope of the impact depends on the criticality of the EOS devices managed by the CloudVision Portal and the sensitivity of the data they handle. This vulnerability highlights the importance of robust access controls and the principle of least privilege within network management systems.

利用背景翻译中…

CVE-2024-11186 was publicly disclosed on 2025-05-08. Its CRITICAL severity suggests a high likelihood of exploitation if left unpatched. As of this writing, there are no publicly available proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. Organizations should prioritize patching to prevent potential compromise.

哪些人处于风险中翻译中…

Organizations utilizing on-premise deployments of Arista CloudVision Portal, particularly those managing critical network infrastructure with EOS devices, are at risk. Environments with overly permissive user roles or a lack of robust access control policies are especially vulnerable.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.35% (57% 百分位)

CISA SSVC

利用情况none
可自动化yes
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件cloudvision-portal
供应商Arista Networks
影响范围修复版本
2024.3.0 – 2024.3.02024.3.1
2024.2.0 – 2024.2.12024.2.2
2024.1.0 – 2024.1.22024.1.3
2023.3 – 2023.32023.3.1
2023.2 – 2023.22023.2.1
2023.1 – 2023.12023.1.1
2022.3 – 2022.32022.3.1
2022.2 – 2022.22022.2.1
2022.1 – 2022.12022.1.1
2021.3 – 2021.32021.3.1
2021.2 – 2021.22021.2.1
2021.1 – 2021.12021.1.1
2020.3 – 2020.32020.3.1
2020.2 – 2020.22020.2.1
2020.1 – 2020.12020.1.1
2019.1 – 2019.12019.1.1
2018.2 – 2018.22018.2.1
2018.1 – 2018.12018.1.1
2017.2 – 2017.22017.2.1

弱点分类 (CWE)

CWE-287

时间线

  1. 已保留
  2. 发布日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2024-11186 is to upgrade Arista CloudVision Portal to version 2024.3.1 or later. If an immediate upgrade is not feasible, consider implementing stricter access controls within the CloudVision Portal to limit the actions that authenticated users can perform. Review user permissions and ensure they adhere to the principle of least privilege. Additionally, monitor CloudVision Portal logs for any suspicious activity, particularly attempts to access or modify EOS device configurations by unauthorized users. After upgrading, verify the fix by attempting to perform actions outside of a user's assigned role and confirming that access is denied.

修复方法

将 CloudVision Portal 更新到不受影响的版本。请参阅 Arista 的公告以获取更多详细信息和特定的更新说明。根据供应商的建议实施适当的访问控制措施。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-11186 — Improper Access Controls in Arista CloudVision Portal?

CVE-2024-11186 is a CRITICAL vulnerability affecting Arista CloudVision Portal versions 2021.3–2024.3.0, allowing authenticated users to perform unauthorized actions on managed EOS devices.

Am I affected by CVE-2024-11186 in Arista CloudVision Portal?

If you are running Arista CloudVision Portal on-premise in versions 2021.3 through 2024.3.0, you are potentially affected by this vulnerability.

How do I fix CVE-2024-11186 in Arista CloudVision Portal?

Upgrade Arista CloudVision Portal to version 2024.3.1 or later to remediate the vulnerability. Implement stricter access controls as an interim measure.

Is CVE-2024-11186 being actively exploited?

As of now, there are no publicly known active exploitation campaigns, but the CRITICAL severity warrants immediate patching.

Where can I find the official Arista advisory for CVE-2024-11186?

Refer to the official Arista CloudVision Portal security advisory for detailed information and guidance: [https://www.arista.com/en/support/security/advisories/cloudvision-portal-security-advisory-cve-2024-11186]

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE