CVE-2022-38205

Portal for ArcGIS has a directory traversal vulnerability (10.9.1, 10.8.1 and 10.7.1 only)

CVSS 8.6 HIGHEPSS 1.5%CWE-23

In short

Portal for ArcGIS has a flaw that lets attackers access files outside the intended directory on the server, potentially exposing sensitive information. This vulnerability only affects certain non-default installations and requires no authentication.

Technical detail

A directory traversal vulnerability (CWE-23) in Esri Portal for ArcGIS versions 10.9.1, 10.8.1, and 10.7.1 allows unauthenticated remote attackers to manipulate file paths and access arbitrary files on the system, leading to disclosure of sensitive data. The vulnerability is specific to certain non-default server configurations.

Summary generated and translated by AI from the official description.

In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products

Esri · ArcGIS Enterprise

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available