CVE-2022-38205: Portal for ArcGIS has a directory traversal vulnerability (10.9.1, 10.8.1 and 10.7.1 only)
First published: Thu Dec 29 2022(Updated: )
In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).
Credit: psirt@esri.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Esri Portal for ArcGIS | <=10.9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-38205?
CVE-2022-38205 is a vulnerability in some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, which allows a remote attacker to traverse the file system and potentially disclose sensitive data.
How severe is CVE-2022-38205?
CVE-2022-38205 has a severity score of 7.5 (high).
What is the affected version of Esri Portal for ArcGIS?
Esri Portal for ArcGIS versions 10.9.1 and below are affected.
How can a remote attacker exploit CVE-2022-38205?
A remote attacker can exploit CVE-2022-38205 by sending specially crafted requests to the affected system, allowing them to traverse the file system and potentially access sensitive data.
Is there a patch or fix available for CVE-2022-38205?
Yes, a patch is available for CVE-2022-38205. Please refer to the official Esri Portal for ArcGIS website for more information.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/last-modified-date
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- vendor/esri
- canonical/esri portal for arcgis
- version/esri portal for arcgis/10.9.1