CVE-2021-29102
There is a Server-Side Request Forgery (SSRF) vulnerability in Esri ArcGIS Server Manager version 10.8.1 and below.
In short
ArcGIS Server Manager has a flaw that lets remote attackers trick the server into making web requests to any URL they choose. This can be exploited to scan the network or launch further attacks without needing to log in.
Technical detail
A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager ≤10.8.1 allows unauthenticated remote attackers to craft malicious requests that cause the server to forge arbitrary GET requests to internal or external URLs. The vulnerability enables network reconnaissance and can facilitate secondary attacks against internal systems or services accessible from the server.
Summary generated and translated by AI from the official description.
A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Esri · ArcGIS ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →