CVE-2022-38211 - OpenCVE

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Esri	Portal For Arcgis

Configuration 1 [-]

cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available

History

Tue, 17 Sep 2024 01:30:00 +0000

Type	Values Removed	Values Added
Title	Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only)	Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only)

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2022-12-30T05:13:00.217381Z

Updated: 2024-09-17T01:26:57.179Z

Reserved: 2022-08-12T00:00:00

Link: CVE-2022-38211

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-12-29T20:15:10.080

Modified: 2023-01-09T18:15:12.583

Link: CVE-2022-38211

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38211", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "assignerShortName": "Esri", "dateUpdated": "2024-09-17T01:26:57.179Z", "dateReserved": "2022-08-12T00:00:00", "datePublished": "2022-12-30T05:13:00.217381Z"}, "containers": {"cna": {"title": "Server Side Request Forgery (SSRF) vulnerability in Portal for ArcGIS (10.9.1, 10.8.1 and 10.7.1 only)", "datePublic": "2022-12-05T00:00:00", "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2022-12-29T00:00:00"}, "descriptions": [{"lang": "en", "value": "Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212."}], "affected": [{"vendor": "Esri", "product": "ArcGIS Enterprise", "versions": [{"version": "Portal for ArcGIS", "status": "affected", "lessThanOrEqual": "10.9.1", "versionType": "custom"}], "platforms": ["x64"]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918"}]}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "source": {"defect": ["BUG-000143573"], "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.936Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*", "matchCriteriaId": "F01BB2D5-9767-4369-A4ED-A336563B2B94", "versionEndIncluding": "10.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212."}, {"lang": "es", "value": "Las protecciones contra posibles vulnerabilidades de Server-Side Request Forgery (SSRF) en Esri Portal for ArcGIS versiones 10.9.1 e inferiores no se respetaron en su totalidad y pueden permitir que un atacante remoto y no autenticado falsifique solicitudes a URL arbitrarias desde el sistema, lo que podr\u00eda provocar una enumeraci\u00f3n de la red o lectura desde hosts dentro del per\u00edmetro de la red, un problema diferente a CVE-2022-38211 y CVE-2022-38212."}], "id": "CVE-2022-38211", "lastModified": "2023-01-09T18:15:12.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@esri.com", "type": "Secondary"}]}, "published": "2022-12-29T20:15:10.080", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "psirt@esri.com", "type": "Primary"}]}