cvelistv5 - cve-2024-51961

CVE-2024-51961 (GCVE-0-2024-51961)

Vulnerability from cvelistv5 – Published: 2025-03-03 19:58 – Updated: 2025-04-10 19:25

Summary

There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-73 - External Control of File Name or Path

Assigner

Esri

References

URL

Tags

https://www.esri.com/arcgis-blog/products/trust-a…

Impacted products

	Vendor	Product	Version
	Esri	ArcGIS Server	Affected: all , ≤ 11.3 (all)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51961",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-03T20:43:53.013225Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-03T20:47:06.768Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "ArcGIS Server",
          "vendor": "Esri",
          "versions": [
            {
              "lessThanOrEqual": "11.3",
              "status": "affected",
              "version": "all",
              "versionType": "all"
            }
          ]
        }
      ],
      "datePublic": "2025-02-28T20:39:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u0026nbsp; Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability."
            }
          ],
          "value": "There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-252",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-252 PHP Local File Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-10T19:25:47.824Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
        }
      ],
      "source": {
        "defect": [
          "BUG-000171443"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Local file inclusion (LFI) vulnerability in ArcGIS Server",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2024-51961",
    "datePublished": "2025-03-03T19:58:26.627Z",
    "dateReserved": "2024-11-04T16:54:39.393Z",
    "dateUpdated": "2025-04-10T19:25:47.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51961\",\"sourceIdentifier\":\"psirt@esri.com\",\"published\":\"2025-03-03T20:15:42.863\",\"lastModified\":\"2025-04-10T20:15:21.467\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de inclusi\u00f3n de archivos locales en ArcGIS Server 10.9.1 a 11.3 que puede permitir que un atacante remoto no autenticado manipule una URL que podr\u00eda revelar informaci\u00f3n de configuraci\u00f3n confidencial al leer archivos internos del servidor remoto. Debido a la naturaleza de los archivos a los que se puede acceder en esta vulnerabilidad, el impacto en la confidencialidad es alto y no hay impacto en la integridad ni en la disponibilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@esri.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@esri.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-610\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.9.1\",\"versionEndIncluding\":\"11.3\",\"matchCriteriaId\":\"0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0\"}]}]}],\"references\":[{\"url\":\"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/\",\"source\":\"psirt@esri.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51961\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T20:43:53.013225Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T20:44:03.615Z\"}}], \"cna\": {\"title\": \"Local file inclusion (LFI) vulnerability in ArcGIS Server\", \"source\": {\"defect\": [\"BUG-000171443\"], \"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-252\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-252 PHP Local File Inclusion\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Esri\", \"product\": \"ArcGIS Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"all\", \"versionType\": \"all\", \"lessThanOrEqual\": \"11.3\"}], \"platforms\": [\"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-02-28T20:39:00.000Z\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u0026nbsp; Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"shortName\": \"Esri\", \"dateUpdated\": \"2025-04-10T19:25:47.824Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51961\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-10T19:25:47.824Z\", \"dateReserved\": \"2024-11-04T16:54:39.393Z\", \"assignerOrgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"datePublished\": \"2025-03-03T19:58:26.627Z\", \"assignerShortName\": \"Esri\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2025-05082

Vulnerability from cnvd - Published: 2025-03-13

Title

Esri ArcGIS Server文件包含漏洞

Description

Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 10.9.1至11.3版本存在文件包含漏洞，该漏洞源于未对本地文件资源的调用做有效过滤，远程未认证攻击者可利用此漏洞读取内部文件。

Severity

高

Patch Name

Esri ArcGIS Server文件包含漏洞的补丁

Patch Description

Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server 10.9.1至11.3版本存在文件包含漏洞，该漏洞源于未对本地文件资源的调用做有效过滤，远程未认证攻击者可利用此漏洞读取内部文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.esri.com/en-us/patches-updates/2025/arcgis-server-security-2025-update-1

Reference

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Impacted products

Name
ESRI ArcGIS Server >=10.9.1，<=11.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-51961",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-51961"
    }
  },
  "description": "Esri ArcGIS Server\u662fEsri\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411Web\u7684\u53ef\u7528\u4e8e\u63d0\u4f9b\u5730\u7406\u4f4d\u7f6e\u670d\u52a1\u7684\u4f01\u4e1a\u7ea7\u8f6f\u4ef6\u5e73\u53f0\u3002\n\nEsri ArcGIS Server 10.9.1\u81f311.3\u7248\u672c\u5b58\u5728\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5bf9\u672c\u5730\u6587\u4ef6\u8d44\u6e90\u7684\u8c03\u7528\u505a\u6709\u6548\u8fc7\u6ee4\uff0c\u8fdc\u7a0b\u672a\u8ba4\u8bc1\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8bfb\u53d6\u5185\u90e8\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.esri.com/en-us/patches-updates/2025/arcgis-server-security-2025-update-1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-05082",
  "openTime": "2025-03-13",
  "patchDescription": "Esri ArcGIS Server\u662fEsri\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411Web\u7684\u53ef\u7528\u4e8e\u63d0\u4f9b\u5730\u7406\u4f4d\u7f6e\u670d\u52a1\u7684\u4f01\u4e1a\u7ea7\u8f6f\u4ef6\u5e73\u53f0\u3002\r\n\r\nEsri ArcGIS Server 10.9.1\u81f311.3\u7248\u672c\u5b58\u5728\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5bf9\u672c\u5730\u6587\u4ef6\u8d44\u6e90\u7684\u8c03\u7528\u505a\u6709\u6548\u8fc7\u6ee4\uff0c\u8fdc\u7a0b\u672a\u8ba4\u8bc1\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8bfb\u53d6\u5185\u90e8\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Esri ArcGIS Server\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "ESRI ArcGIS Server \u003e=10.9.1\uff0c\u003c=11.3"
  },
  "referenceLink": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-07",
  "title": "Esri ArcGIS Server\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e"
}

GHSA-CG48-XW7Q-CPC8

Vulnerability from github – Published: 2025-03-03 21:31 – Updated: 2025-04-10 21:31

Details

There is a local file inclusion vulnerability in ArcGIS Server 10.9.1 thru 11.3 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-51961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T20:15:42Z",
    "severity": "HIGH"
  },
  "details": "There is a local file inclusion vulnerability in ArcGIS Server 10.9.1 thru 11.3 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.",
  "id": "GHSA-cg48-xw7q-cpc8",
  "modified": "2025-04-10T21:31:07Z",
  "published": "2025-03-03T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51961"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-51961

Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2025-04-10 20:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	psirt@esri.com	https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	esri	arcgis_server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
              "versionEndIncluding": "11.3",
              "versionStartIncluding": "10.9.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de inclusi\u00f3n de archivos locales en ArcGIS Server 10.9.1 a 11.3 que puede permitir que un atacante remoto no autenticado manipule una URL que podr\u00eda revelar informaci\u00f3n de configuraci\u00f3n confidencial al leer archivos internos del servidor remoto. Debido a la naturaleza de los archivos a los que se puede acceder en esta vulnerabilidad, el impacto en la confidencialidad es alto y no hay impacto en la integridad ni en la disponibilidad."
    }
  ],
  "id": "CVE-2024-51961",
  "lastModified": "2025-04-10T20:15:21.467",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "psirt@esri.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-03T20:15:42.863",
  "references": [
    {
      "source": "psirt@esri.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
    }
  ],
  "sourceIdentifier": "psirt@esri.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "psirt@esri.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-610"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2025-0476

Vulnerability from csaf_certbund - Published: 2025-03-03 23:00 - Updated: 2025-03-03 23:00

Summary

ESRI ArcGIS: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

ArcGIS ist ein Geoinformationssystem.

Angriff

Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in ESRI ArcGIS ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting durchzuführen, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "ArcGIS ist ein Geoinformationssystem.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in ESRI ArcGIS ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting durchzuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0476 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0476.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0476 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0476"
      },
      {
        "category": "external",
        "summary": "ArcGIS Server Security 2025 Update 1 vom 2025-03-03",
        "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
      }
    ],
    "source_lang": "en-US",
    "title": "ESRI ArcGIS: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-03-03T23:00:00.000+00:00",
      "generator": {
        "date": "2025-03-04T10:32:52.564+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0476",
      "initial_release_date": "2025-03-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-03-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Server Security \u003c2025 Update 1",
                "product": {
                  "name": "ESRI ArcGIS Server Security \u003c2025 Update 1",
                  "product_id": "T041548"
                }
              },
              {
                "category": "product_version",
                "name": "Server Security 2025 Update 1",
                "product": {
                  "name": "ESRI ArcGIS Server Security 2025 Update 1",
                  "product_id": "T041548-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:esri:arcgis:server_security__2025_update_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ArcGIS"
          }
        ],
        "category": "vendor",
        "name": "ESRI"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-51962",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51962"
    },
    {
      "cve": "CVE-2024-51954",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51954"
    },
    {
      "cve": "CVE-2024-51961",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51961"
    },
    {
      "cve": "CVE-2024-51958",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51958"
    },
    {
      "cve": "CVE-2024-51966",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51966"
    },
    {
      "cve": "CVE-2024-10904",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-10904"
    },
    {
      "cve": "CVE-2024-51942",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51942"
    },
    {
      "cve": "CVE-2024-51943",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51943"
    },
    {
      "cve": "CVE-2024-51944",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51944"
    },
    {
      "cve": "CVE-2024-51945",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51945"
    },
    {
      "cve": "CVE-2024-51946",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51946"
    },
    {
      "cve": "CVE-2024-51947",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51947"
    },
    {
      "cve": "CVE-2024-51948",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51948"
    },
    {
      "cve": "CVE-2024-51949",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51949"
    },
    {
      "cve": "CVE-2024-51950",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51950"
    },
    {
      "cve": "CVE-2024-51951",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51951"
    },
    {
      "cve": "CVE-2024-51952",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51952"
    },
    {
      "cve": "CVE-2024-51953",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51953"
    },
    {
      "cve": "CVE-2024-51956",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51956"
    },
    {
      "cve": "CVE-2024-51957",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51957"
    },
    {
      "cve": "CVE-2024-51959",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51959"
    },
    {
      "cve": "CVE-2024-51960",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51960"
    },
    {
      "cve": "CVE-2024-51963",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51963"
    },
    {
      "cve": "CVE-2024-5888",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-5888"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-51961 (GCVE-0-2024-51961)

CNVD-2025-05082

GHSA-CG48-XW7Q-CPC8

FKIE_CVE-2024-51961

WID-SEC-W-2025-0476

Tags

Sightings

Nomenclature