Backup uploads to ETM subject to man-in-the-middle interception

Specially constructed queries targeting ETM could discover active remote access sessions

Expired and unusable administrator authentication tokens can be revealed by units that have timed out from ETM access

Multiple SQL Injection vulnerabilities exist in the reporting application. A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.

A user with administrator privileges is able to retrieve authentication tokens

The administrator is able to configure an insecure captive portal script

A user with administrator privileges can perform command injection

On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them

On affected platforms running Arista EOS, a specially crafted packet with incorrect VLAN tag might be copied to CPU, which may cause incorrect control plane behavior related to the packet, such as route flaps, multicast routes learnt, etc.

On affected platforms running Arista EOS with SNMP configured, if “snmp-server transmit max-size” is configured, under some circumstances a specially crafted packet can cause the snmpd process to leak memory. This may result in the snmpd process being terminated (causing SNMP requests to time out u…