Esri has released the Portal for ArcGIS Security 2022 Update 2 Patch that resolves multiple high and medium severity security vulnerabilities across versions 11.0, 10.9.1, 10.8.1, and 10.7.1.
This patch was released on 12/5/2022 and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch
CVE-2022-38205 – CWE-23
In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).
CVSS Details:
- 8.6 Base Score, 8.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/RC:C
- Mitigations: Installations using default installation paths are unaffected
Esri Bug ID: BUG-000148810
CVE-2022-38203– CWE-918
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.
CVSS Details:
- 7.5 Base Score, 7.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C
Esri Bug ID: BUG-000143641
CVE-2022-38211– CWE-918
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38212 and CVE-2022-38203.
CVSS Details:
- 7.5 Base Score, 7.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C
Esri Bug ID: BUG-000143573
CVE-2022-38212– CWE-918
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.
CVSS Details:
- 7.5 Base Score, 7.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C
Esri Bug ID: BUG-000130783
CVE-2022-38204– CWE-79
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Esri Bug ID: BUG-000141886
CVE-2022-38206– CWE-79
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Esri Bug ID: BUG-000151892
CVE-2022-38207– CWE-79
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Esri Bug ID: BUG-000136210
CVE-2022-38209– CWE-79
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Esri Bug ID: BUG-000152437
CVE-2022-38210– CWE-79
There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.
CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Esri Bug ID: BUG-000148008
CVE-2022-38208– CWE-79
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplying phishing attacks. CVSS Details:
- 6.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- #CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MPR:L/MAV:A
Esri Bug ID: BUG-000152035
Commenting is not enabled for this article.