CVE-2022-38184
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1
In short
Portal for ArcGIS versions 10.8.1 and below have a flaw that lets unauthorized attackers access an API without logging in, which can trick the system into reading files or content from any URL an attacker specifies.
Technical detail
This improper access control vulnerability (CWE-284) in Portal for ArcGIS ≤10.8.1 allows unauthenticated remote attackers to access an unprotected API endpoint that enables Server-Side Request Forgery (SSRF). The attack requires no prior authentication and can result in arbitrary URL fetching by the affected application, potentially exposing internal resources or sensitive data.
Summary generated and translated by AI from the official description.
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Esri · Portal for ArcGISWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →