Portal for ArcGIS has a directory traversal vulnerability (10.9.1, 10.8.1 and 10.7.1 only)
CVE-2022-38205

8.6HIGH

Key Information:

Vendor: Esri
Status: Arcgis Enterprise
Vendor: CVE Published:; 29 December 2022

What is CVE-2022-38205?

In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote, unauthenticated attacker to traverse the file system and lead to the disclosure of sensitive data (not customer-published content).

Affected Version(s)

ArcGIS Enterprise x64 Portal for ArcGIS <= 10.9.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 29, 2022
Vulnerability Reserved
Aug 12, 2022