CVE-2022-38202

BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.

CVSS 7.5 HIGHEPSS 1.3%CWE-23

In short

ArcGIS Server versions 10.9.1 and earlier contain a path traversal flaw that allows attackers to access files outside the intended directory without authentication. This could expose sensitive server configuration information.

Technical detail

A path traversal vulnerability (CWE-23) in ArcGIS Server ≤10.9.1 permits unauthenticated remote attackers to manipulate file paths and read arbitrary files on the server filesystem. The vulnerability enables disclosure of sensitive configuration data, though not user datasets, via direct HTTP requests that bypass directory restrictions.

Summary generated and translated by AI from the official description.

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Esri · ArcGIS Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2022-update-2-patch-is-now-available