ArcGIS Trust Center

Portal for ArcGIS Security 2022 Update 2 Patch is now available

Esri has released the Portal for ArcGIS Security 2022 Update 2 Patch that resolves multiple high and medium severity security vulnerabilities across versions 11.0, 10.9.1, 10.8.1, and 10.7.1.

This patch was released on 12/5/2022 and is available here.

 We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.  Both base and modified temporal scores are provided to reflect the availability of an official patch.

Vulnerabilities fixed by this patch

CVE-2022-38205 – CWE-23

In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).

CVSS Details:

Esri Bug ID: BUG-000148810

 

CVE-2022-38203– CWE-918

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

CVSS Details:

Esri Bug ID: BUG-000143641

 

CVE-2022-38211– CWE-918

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38212 and CVE-2022-38203.

CVSS Details:

Esri Bug ID: BUG-000143573

 

CVE-2022-38212– CWE-918

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.

CVSS Details:

Esri Bug ID: BUG-000130783

 

CVE-2022-38204– CWE-79

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

Esri Bug ID: BUG-000141886

 

CVE-2022-38206– CWE-79

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

Esri Bug ID: BUG-000151892

 

CVE-2022-38207– CWE-79

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

Esri Bug ID: BUG-000136210

 

CVE-2022-38209– CWE-79

There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

CVSS Details:

Esri Bug ID: BUG-000152437

 

CVE-2022-38210– CWE-79

There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.

CVSS Details:

Esri Bug ID: BUG-000148008

 

CVE-2022-38208– CWE-79

There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplying phishing attacks. CVSS Details:

Esri Bug ID: BUG-000152035

Next Article

What's new in ArcGIS StoryMaps (March 2024)

Read this article