ArcGIS Blog

Administration

ArcGIS Enterprise

Portal for ArcGIS Security 2022 Update 1 Patch

By RandallWilliams and Michael Young

Esri has released the Portal for ArcGIS Security 2022 Update 1 Patch that resolves multiple high and medium severity security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.

This patch is available here.

We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch

CVE-2022-38184CWE-284

There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.

CVSS Details:

  • 7.5 Base Score, 6.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L

Mitigations: Disable anonymous access to Portal for ArcGIS

Esri Bug ID: BUG-000143640 & BUG-000143638

 

CVE-2022-38186CWE-79

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

  • 7.1 Base Score, 5.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

Mitigations: Disable Anonymous Access to Portal for ArcGIS

Esri Bug ID: BUG-000143642 & BUG-000137733

 

CVE-2022-38188CWE-79

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

  • 7.1 Base Score, 5.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

Mitigations: Disable Anonymous Access to Portal for ArcGIS

Esri Bug ID: BUG-000136544

 

CVE-2022-38194 – CWE-311

In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.

CVSS Details:

  • 6.7 Base Score, 6.4 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N/RL:O/RC:C

Esri Bug ID: BUG-000133255

 

CVE-2022-38193CWE-95

There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution.

CVSS Details:

  • 6.1 Base Score, 5.8 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

Esri Bug ID: BUG-000135726

 

CVE-2022-38192CWE-79

There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

CVSS Details:

  • 5.7 Base Score, 5.5 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • /AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/RL:O

Esri Bug ID: BUG-000149597

 

CVE-2022-38190CWE-79

There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

CVSS Details:

  • 5.4 Base Score, 5.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/

Esri Bug ID: BUG-000143643

 

 

CVE-2022-38191CWE-74

There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.

CVSS Details:

  • 5.4 Base Score, 5.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O

Esri Bug ID: BUG-000138486

 

CVE-2022-38189CWE-79

There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS which may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. This is a separate fix than BUG-000149597.

CVSS Details:

  • 5.4 Base Score, 5.2 Temporal Score
  • Remediation Level: Official Fix Available
  • Report Confidence: Confirmed by Esri
  • AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/

Esri Bug ID: BUG-000133257

 

Share this article