CVE-2024-12832 HIGH

CVE-2024-12832: Arista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write Vulnerability

Vendor Arista

Product NG Firewall

Weakness CWE-89 · SQLi

Published December 20, 2024

Last update December 20, 2024

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Arista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files and disclose sensitive information on affected installations of Arista NG Firewall. Authentication is required to exploit this vulnerability. The specific flaw exists within the ReportEntry class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the www-data user. Was ZDI-CAN-24325.

Key dates

02Disclosure timeline

December 20, 2024 CVE published

December 20, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12832

Related vulnerabilities

CVE-2024-12832: Arista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE