Headline
CVE-2022-38191: Portal for ArcGIS Security 2022 Update 1 Patch
There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.
Esri has released the Portal for ArcGIS Security 2022 Update 1 Patch that resolves two high priority security vulnerabilities and seven medium priority security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.
As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.
This patch addresses two high severity vulnerability and seven medium severity vulnerabilities. This patch is available here.
We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.
Both the base score and a modified temporal score is provided for each issue to reflect the availability of an official patch. Please see Common Vulnerability Scoring System for more information on how these metrics are defined.
Vulnerabilities fixed in this patch include:
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 7.5 Base Score, 6.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L
Mitigations
Disable anonymous access to Portal for ArcGIS
Vulnerability Details
Esri Bug ID: BUG-000143640
CVE-2022-38184 – Improper Access Control CWE-284 – CVSS 6.2
There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 7.5 Base Score, 6.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L
Mitigations
Disable anonymous access to Portal for ArcGIS
Vulnerability Details
Esri Bug ID: BUG-000143638
CVE: CVE-2022-38184 – Improper Access Control CWE-284 – CVSS 6.2
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 7.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L
Mitigations:
Disable Anonymous Access to Portal for ArcGIS
Vulnerability Details:
Esri Bug ID: BUG-000143642
CVE: CVE-2022-38186 – Cross-site Scripting (XSS) CWE-79 – CVSS 6.2
Acknowledgements:
Simone La Porta
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 7.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L
Mitigations:
Disable Anonymous Access to Portal for ArcGIS
Vulnerability Details:
Esri Bug ID: BUG-000137733
CVE: CVE-2022-38186- Cross-site Scripting (XSS) CWE-79 – CVSS 6.2
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 7.1 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L
Mitigations:
Disable Anonymous Access to Portal for ArcGIS
Vulnerability Details:
Esri Bug ID: BUG-000136544
CVE: CVE-2022-38188 – Cross-site Scripting (XSS) CWE-79 – CVSS 6.2
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 6.7 Base Score, 6.4 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N/RL:O/RC:C
Mitigations:
Vulnerability Details:
Impacts Portal for ArcGIS 10.8.1 ONLY
Esri Bug ID: BUG-000133255
CVE: CVE-2022-38194 – Missing Encryption of Sensitive Data CWE-311 – CVSS 5.2
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 6.1 Base Score, 5.8 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O
Mitigations:
Vulnerability Details:
Esri Bug ID: BUG-000135726
CVE: CVE-2022-38193 – Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) CWE-95 – CVSS 5.8
There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser
Common Vulnerability Scoring System (CVSS v3.1) Details
- 5.7 Base Score, 5.5 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/RL:O
Mitigations:
Vulnerability Details:
Esri Bug ID: BUG-000149597
CVE: CVE-2022-38192 – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2
There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser
Common Vulnerability Scoring System (CVSS v3.1) Details
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/
Mitigations:
Vulnerability Details:
Esri Bug ID: BUG-000143643
CVE: Coming soon – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2
Acknowledgements:
Fredrik Ljung
There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O
Mitigations:
Vulnerability Details:
Esri Bug ID: BUG-000138486
CVE: CVE-2022-38191 – Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) CWE-74 – CVSS 5.2
There is a stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS which may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. This is a separate fix than BUG-000149597.
Common Vulnerability Scoring System (CVSS v3.1) Details
- 5.4 Base Score, 5.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/
Mitigations:
Vulnerability Details:
Esri Bug ID: BUG-000133257
CVE: CVE-2022-38189 – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2
Acknowledgements:
Gustavo Silva
Additional Notes:
This patch is highly recommended and encouraged for all customers running on versions of ArcGIS Enterprise in mainstream and extended support status. (10.7.1, 10.8.1, and 10.9.1). Customers on older versions of ArcGIS Enterprise are encouraged to upgrade.