Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-38197
CVE-2022-38197:
ArcGIS Server vulnerability analysis and mitigation
Overview
Esri ArcGIS Server versions 10.9.1 and below contain an unvalidated redirect vulnerability identified as CVE-2022-38197. The vulnerability was disclosed on October 25, 2022, affecting the ArcGIS Server software platform (Vendor Advisory).
Technical details
The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) with a CVSS v3.1 base score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability allows for unvalidated redirects through crafted query parameters (NVD).
Impact
If exploited, this vulnerability could allow a remote, unauthenticated attacker to perform phishing attacks by redirecting users to attacker-controlled websites through crafted query parameters (Vendor Advisory).
Mitigation and workarounds
Esri has released an official security patch (ArcGIS Server Security 2022 Update 1 Patch) to address this vulnerability. As a workaround, administrators can disable administration via the ArcGIS Web Adaptor, which is recommended as a best practice when exposing ArcGIS Server to the public internet (Vendor Advisory).
Additional resources
Source: This report was generated using AI
Related ArcGIS Server vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management