Esri has recently discovered a critical Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server. This issue has been assigned a base CVSS score of 9.8 – with an exploit vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
In response, Esri has released the ArcGIS Server Security 2020 Update 1 Patch for all currently supported ArcGIS Server versions 10.7.1 and prior to address this issue. ArcGIS Server 10.8 is unaffected by this vulnerability.
Special steps are required by persons with network access to the ArcGIS deployment to exploit this SSRF, which can potentially be used to obtain access to sensitive internal system information by unauthorized individuals.
Esri strongly recommends all ArcGIS Server administrators install this patch by using the ArcGIS Server “Patch Notification” utility or by downloading the appropriate patch for your ArcGIS Enterprise site from the ArcGIS Server Security 2020 Update 1 Patch knowledge base article.
Be sure to subscribe to the RSS feed on the ArcGIS Trust Center for timely notifications regarding trends and issues related to security issues that impact the ArcGIS Platform.
Refer to the following resources: