Esri has released the Portal for ArcGIS Security 2022 Update 1 Patch that resolves multiple high and medium severity security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.
This patch is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch
CVE-2022-38184 – CWE-284
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
CVSS Details:
- 7.5 Base Score, 6.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L
Mitigations: Disable anonymous access to Portal for ArcGIS
Esri Bug ID: BUG-000143640 & BUG-000143638
CVE-2022-38186 – CWE-79
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 7.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L
Mitigations: Disable Anonymous Access to Portal for ArcGIS
Esri Bug ID: BUG-000143642 & BUG-000137733
Acknowledgements: Simone La Porta
CVE-2022-38188 – CWE-79
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
CVSS Details:
- 7.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L
Mitigations: Disable Anonymous Access to Portal for ArcGIS
Esri Bug ID: BUG-000136544
CVE-2022-38194 – CWE-311
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVSS Details:
- 6.7 Base Score, 6.4 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N/RL:O/RC:C
Esri Bug ID: BUG-000133255
CVE-2022-38193 – CWE-95
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution.
CVSS Details:
- 6.1 Base Score, 5.8 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O
Esri Bug ID: BUG-000135726
CVE-2022-38192 – CWE-79
There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser
CVSS Details:
- 5.7 Base Score, 5.5 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- /AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/RL:O
Esri Bug ID: BUG-000149597
CVE-2022-38190 – CWE-79
There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser
CVSS Details:
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/
Esri Bug ID: BUG-000143643
Acknowledgements: Fredrik Ljung
CVE-2022-38191 – CWE-74
There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.
CVSS Details:
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O
Esri Bug ID: BUG-000138486
CVE-2022-38189 – CWE-79
There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS which may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. This is a separate fix than BUG-000149597.
CVSS Details:
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
- AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/
Esri Bug ID: BUG-000133257
Acknowledgements: Gustavo Silva
Commenting is not enabled for this article.