CVE-2022-38194 - Vulnerability Details - OpenCVE

In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Esri	Portal For Arcgis

Configuration 1 [-]

cpe:2.3:a:esri:portal_for_arcgis:10.8.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2022-08-16T17:00:17.513507Z

Updated: 2024-09-16T22:50:47.133Z

Reserved: 2022-08-12T00:00:00

Link: CVE-2022-38194

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-16T17:15:08.120

Modified: 2024-11-21T07:15:58.603

Link: CVE-2022-38194

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["x64"], "product": "Portal for ArcGIS", "vendor": "Esri", "versions": [{"status": "affected", "version": "10.8.1"}]}], "datePublic": "2022-06-28T00:00:00", "descriptions": [{"lang": "en", "value": "In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-16T17:00:17", "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/"}], "source": {"defect": ["BUG-000133255"], "discovery": "UNKNOWN"}, "title": "Portal for ArcGIS system properties are not properly encrypted (10.8.1 only)", "x_generator": {"engine": "Vulnogram 0.0.8"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@esri.com", "DATE_PUBLIC": "2022-06-28T17:42:00.000Z", "ID": "CVE-2022-38194", "STATE": "PUBLIC", "TITLE": "Portal for ArcGIS system properties are not properly encrypted (10.8.1 only)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Portal for ArcGIS", "version": {"version_data": [{"platform": "x64", "version_value": "10.8.1"}]}}]}, "vendor_name": "Esri"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file."}]}, "generator": {"engine": "Vulnogram 0.0.8"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-311 Missing Encryption of Sensitive Data"}]}]}, "references": {"reference_data": [{"name": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/", "refsource": "CONFIRM", "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/"}]}, "source": {"defect": ["BUG-000133255"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.947Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/"}]}]}, "cveMetadata": {"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "assignerShortName": "Esri", "cveId": "CVE-2022-38194", "datePublished": "2022-08-16T17:00:17.513507Z", "dateReserved": "2022-08-12T00:00:00", "dateUpdated": "2024-09-16T22:50:47.133Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:portal_for_arcgis:10.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "FDE382B5-E228-4803-A3FC-B803C7838777", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file."}, {"lang": "es", "value": "En Esri Portal para ArcGIS versiones 10.8.1, una propiedad del sistema no est\u00e1 correctamente cifrada. Esto puede conllevar a que un usuario local lea informaci\u00f3n sensible de un archivo de propiedades."}], "id": "CVE-2022-38194", "lastModified": "2024-11-21T07:15:58.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.7, "source": "psirt@esri.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-16T17:15:08.120", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2022-update-1-patch/"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "psirt@esri.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-311"}], "source": "nvd@nist.gov", "type": "Primary"}]}