There has been a recent string of media-hyped open-source component vulnerabilities over the last several weeks, which includes Apache Commons-text CVE-2022-42889, with a base critical impact severity, however the vulnerability is actively being reassessed by the National Vulnerability Database team.
While Commons-text is utilized across a number of ArcGIS products, we have validated that the base ArcGIS Enterprise deployment (Portal for ArcGIS, ArcGIS Server, ArcGIS Datastore) and ArcGIS Pro are not vulnerable. A security scanner run against these products may incorrectly flag the vulnerability as present. This is because some security scanners detect a vulnerable version of Commons-text, however we have confirmed that the library, when present in these products, is not used a way that would make it vulnerable to this CVE.
Esri continues to inventory our products and systems potentially impacted by the vulnerability. If a product is impacted, information will be added here.
- Esri Software Security & Privacy