CVE-2022-38199

A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
EsriCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
esriarcgis_server
10.7.1
esriarcgis_server
10.8.1
esriarcgis_server
10.9.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
esriarcgis
𝑥
≤ 10.9.1
CNA
Common Weakness Enumeration
References
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch