ArcGIS Earth

ArcGIS Earth Security Update

A path traversal vulnerability exists in Esri ArcGIS Earth versions 1.11.0 and below which allows arbitrary file creation on an affected system through crafted input. An attacker could exploit this vulnerability to gain arbitrary code execution under security context of the user running ArcGIS Earth by inducing the user to upload a crafted file to an affected system. 

Mitigating measures: 

Esri has released an update for ArcGIS Earth that resolves this high-risk vulnerabilityhere. 

Common Vulnerability Scoring System (CVSS v3.1) Details 

7.8 Base Score, 7.0 Temporal Score 

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C  

We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics. 

Vulnerability Details 

Acknowledgements 

About the authors

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 14 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:

Article Discussion:

0 Comments
Inline Feedbacks
View all comments

Next Article

Multidimensional PCA in ArcGIS

Read this article