Esri has released the Portal for ArcGIS Security 2023 Update 1 Patch that resolves multiple high and medium severity security vulnerabilities across versions 11.0, 10.9.1, 10.8.1, and 10.7.1.
This patch was released on April 17, 2023 and is available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
Important Note May 16, 2023: The 10.9.1 version of the Portal for ArcGIS 10.9.1 Security 2023 Update 1 Patch has been updated to address BUG-000157748. Please download and install the new setup. It is not necessary to uninstall the original patch, the new setup will install and replace the original patch. BUG-000157748 only affects version 10.9.1 of the Portal for ArcGIS Security 2023 Update 1 Patch.
BUG-000157748 After installing the Portal for ArcGIS 10.9.1 Security 2023 Update 1 Patch, Map Viewer’s Styles panel fails to load and other panels (Filter, Clustering) subsequently fail to load.
Important Note May 17, 2023: The 10.8.1 and 10.7.1 Portal for ArcGIS Security 2023 Update 1 Patch setups have been updated to allow installation using a Chef Cookbooks or PowerShell DSC automation script. Please download and install the new setup. It is not necessary to uninstall the original patch, the new setup will install and replace the original patch.
Vulnerabilities fixed by this patch
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and 10.9.1 that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.
- CVE Details: CVE-2023-25829
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
- Base CVSSv31: 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Environmentally Modified CVSSv3.1: 4.6 /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/MAV:A/MPR:L
Esri Bug ID: BUG-000155001
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
- CVE Details: CVE-2023-25830
- Mitigation: Leverage a WAF to filter JavaScript from URL query parameters
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSSv3.1: 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Credit: Theologos Kokkinellis
Esri Bug ID: BUG-000154662
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.
- CVE Details: CVE-2023-25831
- Mitigation: Leverage a WAF to filter JavaScript from URL query parameters
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’
- Base CVSSv3.1: 6.1 /AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Esri Bug ID: BUG-000154236
There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an attacker to trick an authorized user into executing unwanted actions under the context of the victim’s browser.
- CVE Details: CVE-2023-25832
- CWE-352: Cross-Site Request Forgery (CSRF)
- Base CVSSv3.1: 6.8 – CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
- Environmentally modified CVSSv3.1: 4.6 – /AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/RL:W
Esri Bug ID: BUG-000148346
There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.
- CVE Details: CVE-2023-25833
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Base CVSSv3.1 5.4 – CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Environmentally Modified CVSSv3.1: 4.1 /AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
- Mitigation: Disable the Portal for ArcGIS Services Directory per best practices
- Credit: Andrew Salazar
Esri Bug ID: BUG-000155004
Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they should no longer be privileged to access.
- CVE Details: CVE-2023-25834
- CWE-269: Improper Privilege Management
- Base CVSSv3.1: 3.4: 4.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
- Environmentally Modified CVSSv3.1: 3.4 /AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:W/MC:L/MI:N
Esri Bug ID: BUG-000142922
Commenting is not enabled for this article.