Lucene search

EsriCVELIST:CVE-2022-38212

HistoryDec 29, 2022 - 12:00 a.m.

CVE-2022-38212 Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.8.1 and 10.7.1 only)

2022-12-2900:00:00

CWE-918

Esri

www.cve.org

cve-2022-38212

server-side request forgery

portal for arcgis

10.8.1

10.7.1

vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.

CNA Affected

[
  {
    "vendor": "Esri",
    "product": "ArcGIS Enterprise",
    "versions": [
      {
        "version": "Portal for ArcGIS",
        "status": "affected",
        "lessThanOrEqual": "10.9.1",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "x64"
    ]
  }
]

References

www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON

Related for CVELIST:CVE-2022-38212