CVE-2024-9134

HighPublic PoC

Published: 10 January 2025

Published

10 January 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0010 26.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Multiple SQL Injection vulnerabilities exist in the reporting application. A user with advanced report application access rights can exploit the SQL injection, allowing them to execute commands on the underlying operating system with elevated privileges.

Security Summary

CVE-2024-9134 consists of multiple SQL injection vulnerabilities (CWE-89) in Arista's reporting application. These flaws carry a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and were published on 2025-01-10. The vulnerabilities enable unauthorized database query manipulation within the reporting component.

A user possessing advanced report application access rights—which aligns with the low privileges required (PR:L)—can exploit these SQL injections remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows the attacker to execute arbitrary commands on the underlying operating system with elevated privileges, resulting in high impacts to confidentiality and integrity, alongside a low impact to availability.

Arista has published a security advisory detailing the issue and mitigation steps at https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105.

Details

CWE(s): CWE-89

Affected Products

arista

ng firewall

≤ 17.2

References

https://www.arista.com/en/support/advisories-notices/security-advisory/20454-security-advisory-0105
Exploit, Mitigation, Vendor Advisory · psirt@arista.com