CVE-2024-25699

Published: Apr 4, 2024Modified: Feb 13, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.

Affected (2)

Products: Esri: Portal For Arcgis, Arcgis Enterprise

2 products

Portal For Arcgis

Arcgis Enterprise

Configuration A

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Esri Portal For Arcgis	From 10.8.1 to 11.2

Running on/with	Platform Versions
Linux Linux Kernel	All versions
Microsoft Windows	All versions

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Esri Arcgis Enterprise	Up to 11.1

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/

Source: psirt@esri.com

Vendor Advisory

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.