CVE-2023-25848: BUG-000158039 - There is an information disclosure issue in ArcGIS Server.
First published: Fri Aug 25 2023(Updated: )
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.
Credit: psirt@esri.com psirt@esri.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Esri ArcGIS Server | >=10.8.1<=11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-25848.
What is the severity of CVE-2023-25848?
The severity of CVE-2023-25848 is medium with a CVSS score of 5.3.
What is the affected software?
The affected software is ArcGIS Enterprise Server versions 11.0 and below.
What is the impact of CVE-2023-25848?
CVE-2023-25848 may result in a low severity information disclosure issue.
How do I fix CVE-2023-25848?
To fix CVE-2023-25848, users are advised to apply the ArcGIS Server Map and Feature Service Security 2023 Update 1 patch.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- agent/severity
- agent/references
- agent/weakness
- agent/title
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/esri
- canonical/esri arcgis server
- version/esri arcgis server/10.8.1
- version/esri arcgis server/11.0