Local File Inclusion Vulnerability in Esri Portal for ArcGIS 11.2, 11.1, 11.0, and 10.9.1
CVE-2024-38040

7.5HIGH

Key Information:

Vendor: Esri
Status: Portal For Arcgis
Vendor: CVE Published:; 4 October 2024

What is CVE-2024-38040?

A local file inclusion vulnerability exists in the Esri Portal for ArcGIS application, specifically in versions 11.2, 11.1, 11.0, and 10.9.1. This flaw allows a remote, unauthenticated attacker to create a specially crafted URL that could lead to the disclosure of sensitive configuration information by accessing internal files. The security risk emphasizes the need for immediate attention to mitigate potential breaches and protect user data.

Affected Version(s)

Portal for ArcGIS Windows All <= 11.2

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 4, 2024