Lucene search

EsriCVELIST:CVE-2022-38187

HistoryAug 15, 2022 - 9:00 p.m.

CVE-2022-38187 Prevent access to sharing/rest/content/features/analyze to unauthorized users

2022-08-1521:00:16

CWE-918

Esri

www.cve.org

cve-2022-38187

esri portal

unauthorized access

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.5%

JSON

Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs.

CNA Affected

[
  {
    "platforms": [
      "x64"
    ],
    "product": "Portal for ArcGIS",
    "vendor": "Esri",
    "versions": [
      {
        "lessThanOrEqual": "10.8.1",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      }
    ]
  }
]

References

www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.5%

JSON

Related for CVELIST:CVE-2022-38187