Headline
CVE-2023-25838: ArcGIS Insights Security Patches for ArcGIS Insights 2022.1 are now available
There is SQL injection vulnerability in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.
Esri has released ArcGIS Insights Security Patches for ArcGIS Insights 2022.1. These patches resolve high severity security vulnerabilities in ArcGIS Insights Desktop (Windows and Mac), ArcGIS Enterprise on Windows, ArcGIS Server and Portal for ArcGIS on Linux either as the base deployment or the primary ArcGIS connection.
These patches were released on June 23, 2023 and are available here.
We provide Common Vulnerability Scoring System v.3.1 (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations. Both base and modified temporal scores are provided to reflect the availability of an official patch.
****Vulnerabilities fixed by this patch:****
There is SQL injection vulnerability in Esri ArcGIS Insights 2022.1 for ArcGIS Enterprise and that may allow a remote, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.
- CVE Details:CVE-2023-25838
- Esri BUG ID: [BUG-000157278 – ArcGIS Insights has a security vulnerability.]
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- Base CVSSv31: 7.5 /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Environmentally Modified CVSSv3.1: 7.2 /AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/
There is SQL injection vulnerability in Esri ArcGIS Insights Desktop for Mac and Windows version 2022.1 that may allow a local, authorized attacker to execute arbitrary SQL commands against the back-end database. The effort required to generate the crafted input required to exploit this issue is complex and requires significant effort before a successful attack can be expected.
- CVE Details:CVE-2023-25839
- Esri BUG ID: [BUG-000157278 – ArcGIS Insights has a security vulnerability.]
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- Base CVSSv31: 7.0 /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Environmentally Modified CVSSv3.1: 6.7 /AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:O
Install the provided patches to remediate these issues.