CVE-2022-38199

A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EsriCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
esriarcgis_server
10.7.1
esriarcgis_server
10.8.1
esriarcgis_server
10.9.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch