BUG-000157278 – ArcGIS Insights has a security vulnerability - desktop
CVE-2023-25839

7HIGH

Key Information:

Vendor: Esri
Status: Arcgis Insights
Vendor: CVE Published:; 19 July 2023

What is CVE-2023-25839?

An SQL injection vulnerability exists in Esri ArcGIS Insights Desktop for both Mac and Windows platforms, specifically in version 2022.1. This flaw permits a local, authorized attacker to potentially execute arbitrary SQL commands against the underlying database. The exploitation of this vulnerability requires a complex process of crafting specific input, demanding significant effort for the attacker to achieve a successful outcome.

Affected Version(s)

ArcGIS Insights 64 bit 2022.1

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 19, 2023
Vulnerability Reserved
Feb 15, 2023