Esri has released the ArcGIS Server Security 2022 Update 2 Patch that resolves one high severity security vulnerability across versions 10.9.1, 10.8.1, and 10.7.1.
This security update was released on October 4, 2022 and is available here.
Important Note: BUG-000152121 is addressed for versions 10.9 and 11.0 in the ArcGIS Server Directory Traversal Vulnerability Patch.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Vulnerabilities fixed by this patch
There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).
- 7.5 Base Score, 7.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
Esri Bug ID: BUG-000152121
Acknowledgements: Esri Nederland Content Team