CVE-2022-38199: 
ArcGIS Server vulnerability analysis and mitigation

CVE-2022-38199 is a remote file download vulnerability affecting Esri ArcGIS Server versions 10.9.1 and below. The vulnerability was disclosed on October 25, 2022, and allows a remote, unauthenticated attacker to potentially induce an unsuspecting victim to launch a process in the victim's PATH environment (Vendor Advisory).

The vulnerability is classified as CWE-494 (Download of Code Without Integrity Check) with a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The vulnerability exists in some capabilities of web services provided by Esri ArcGIS Server, where current browsers provide users with warnings against running unsigned executables downloaded from the internet (NVD, Vendor Advisory).

The vulnerability could allow an unauthenticated attacker to trick users into executing unauthorized processes through their PATH environment. The impact is rated as having low confidentiality and integrity impact, with no availability impact (Vendor Advisory).

Esri has released the ArcGIS Server Security 2022 Update 1 Patch that addresses this vulnerability along with other security issues. The patch is available for versions 10.9.1, 10.8.1, and 10.7.1. System administrators are advised to install this patch at their earliest opportunity (Vendor Advisory).