ArcGIS Enterprise

Critical Security patch for ArcGIS Server Released

Esri has recently discovered a critical Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server.  This issue has been assigned a base CVSS score of 9.8 – with an exploit vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In response, Esri has released the ArcGIS Server Security 2020 Update 1 Patch for all currently supported ArcGIS Server versions 10.7.1 and prior to address this issue. ArcGIS Server 10.8 is unaffected by this vulnerability. 

Special steps are required by persons with network access to the ArcGIS deployment to exploit this SSRF, which can potentially be used to obtain access to sensitive internal system information by unauthorized individuals. 

Esri strongly recommends all ArcGIS Server administrators install this patch by using the ArcGIS Server “Patch Notification” utility or by downloading the appropriate patch for your ArcGIS Enterprise site from the ArcGIS Server Security 2020 Update 1 Patch knowledge base article 

Be sure to subscribe to the RSS feed on the ArcGIS Trust Center for timely notifications regarding trends and issues related to security issues that impact the ArcGIS Platform. 

Refer to the following resources: 

ArcGIS Server Security 2020 Update 1 Patch 

Check for and install software patches and updates  

HowTo: Schedule Automatic Updates for ArcGIS Enterprise 

ArcGIS Trust Center 

Security Update Statement 


Inline Feedbacks
View all comments

Next Article

Basemap Releases Include Over 300 New and Updated Communities

Read this article