Headline
CVE-2023-25848: The ArcGIS Server Map and Feature Service Security 2023 Update 1 Patch is now available
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue.
The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.
The ArcGIS Server Map and Feature Service Security 2023 Update 1 Patch is now avaialble. This patch contains a fix for one Medium Severity Security vulnerability, as well as fixes for other non-security related bugs. Esri highly recommends customers using ArcGIS Enterprise 10.8.1 through ArcGIS 11.1 install this patch. Users with older versions under mature support should upgrade to ArcGIS Enterprise 11.1 and then install this patch.
This patch was released on 8/22/2023 and is available here.
Vulnerabilities fixed by this patch.
CVE-2023-25848: There is an information disclosure issue in ArcGIS Server.
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue.
The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.
Impact: Information Disclosure
CVSSv31: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C 4.8 (Moderate)
Exploit Code Maturity: Proof of Concept
Remediation Level: Official Fix
Report Confidence: Confirmed
CWE-89 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Mitigation: secure the web service.