CVE-2022-38211
Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only)
In short
Portal for ArcGIS fails to properly block Server-Side Request Forgery attacks, allowing an unauthenticated attacker to make the server request arbitrary URLs. This can expose internal network resources or sensitive information that should not be accessible from outside.
Technical detail
An unauthenticated remote attacker can bypass SSRF protections in Portal for ArcGIS (versions 10.9.1 and below) to forge HTTP requests from the vulnerable server to arbitrary URLs. This enables network reconnaissance and potential exfiltration of data from internal hosts, with CVSS score of 7.5 indicating significant network impact.
Summary generated and translated by AI from the official description.
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Esri · ArcGIS EnterpriseWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →