CVE-2022-38202: BUG-000152121 - Directory traversal vulnerability in ArcGIS Server.
First published: Wed Dec 28 2022(Updated: )
There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).
Credit: psirt@esri.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Esri ArcGIS Server | <=10.9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this path traversal vulnerability?
The vulnerability ID for this path traversal vulnerability is CVE-2022-38202.
Which versions of Esri ArcGIS Server are affected by this vulnerability?
Esri ArcGIS Server versions 10.9.1 and below are affected by this vulnerability.
What is the severity of CVE-2022-38202?
The severity of CVE-2022-38202 is high, with a CVSS score of 7.5.
What can a remote, unauthenticated attacker do if they exploit this vulnerability?
A remote, unauthenticated attacker can traverse the file system to access files outside of the intended directory on ArcGIS Server, potentially leading to the disclosure of sensitive information.
How can I fix CVE-2022-38202?
To fix CVE-2022-38202, it is recommended to update Esri ArcGIS Server to a version above 10.9.1 or apply the security patch provided by Esri.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/last-modified-date
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/esri
- canonical/esri arcgis server
- version/esri arcgis server/10.9.1