CVE-2021-28496

Name of the Vulnerable Software and Affected Versions: Arista EOS and CloudEOS versions 4.22.x through 4.26.1

Description: The password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to other authenticated users on the device. This issue occurs when using shared secret profiles.

Recommendations: For versions 4.22.x through 4.23.9, consider disabling the use of shared secret profiles until a patch is available. For versions 4.24.0 through 4.24.7, restrict access to eAPI and other JSON outputs to minimize the risk of exploitation. For versions 4.25.0 through 4.25.4, avoid using the password variable in the affected JSON outputs until the issue is resolved. For versions 4.26.0 through 4.26.1, consider temporarily disabling the BFD feature to prevent password leakage.