CVE-2024-38040

Published: Oct 4, 2024Modified: Apr 10, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files.

Affected (4)

Products: Esri: Portal For Arcgis

Esri

1 product

Portal For Arcgis

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Esri Portal For Arcgis	Version 10.9.1
Esri Portal For Arcgis	Version 11.0
Esri Portal For Arcgis	Version 11.1
Esri Portal For Arcgis	Version 11.2

Related CWEs

CWE-73

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

References (1)

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released/

Source: psirt@esri.com

Vendor Advisory

Timeline

No history available yet.