Vulnerability-Lookup

CVE-2023-25848 (GCVE-0-2023-25848)

Vulnerability from cvelistv5 – Published: 2023-08-25 18:44 – Updated: 2024-10-08 16:33

Title

BUG-000158039 - There is an information disclosure issue in ArcGIS Server.

Summary

ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

Esri

References

URL

Tags

https://www.esri.com/arcgis-blog/products/trust-a…

Impacted products

	Vendor	Product	Version
	Esri	ArcGIS Enterprise Server	Affected: 10.8.1 Affected: 10.9.1 Affected: 11.0 Affected: 11.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:32:12.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25848",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-02T15:01:22.781949Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-02T15:01:51.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "x86"
          ],
          "product": "ArcGIS Enterprise Server",
          "vendor": "Esri",
          "versions": [
            {
              "status": "affected",
              "version": "10.8.1"
            },
            {
              "status": "affected",
              "version": "10.9.1"
            },
            {
              "status": "affected",
              "version": "11.0"
            },
            {
              "status": "affected",
              "version": "11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(13, 17, 23);\"\u003e\n\n\u003cp\u003e\u003cstrong\u003e\n\nArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \u003cbr\u003e\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\n\n\u003c/strong\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003c/span\u003e"
            }
          ],
          "value": "ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \n\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-08T16:33:52.950Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
        }
      ],
      "source": {
        "defect": [
          "BUG-000158039"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "BUG-000158039 - There is an information disclosure issue in ArcGIS Server.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2023-25848",
    "datePublished": "2023-08-25T18:44:14.016Z",
    "dateReserved": "2023-02-15T17:59:31.099Z",
    "dateUpdated": "2024-10-08T16:33:52.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-25848\",\"sourceIdentifier\":\"psirt@esri.com\",\"published\":\"2023-08-25T19:15:08.670\",\"lastModified\":\"2024-11-21T07:50:18.600\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \\n\\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\"},{\"lang\":\"es\",\"value\":\"Las versiones 11.0 y posteriores de ArcGIS Enterprise Server presentan una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n por la que un atacante remoto no autorizado puede enviar una consulta manipulada que puede dar lugar a un problema de divulgaci\u00f3n de informaci\u00f3n de baja gravedad. \\n\\nLa informaci\u00f3n revelada se limita a un \u00fanico atributo en una cadena de conexi\u00f3n de base de datos. No se revelan datos comerciales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.8.1\",\"versionEndIncluding\":\"11.0\",\"matchCriteriaId\":\"BEA722C4-4C48-4786-9720-267D7DC95095\"}]}]}],\"references\":[{\"url\":\"https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/\",\"source\":\"psirt@esri.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:32:12.687Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-25848\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-02T15:01:22.781949Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-02T15:01:48.091Z\"}}], \"cna\": {\"title\": \"BUG-000158039 - There is an information disclosure issue in ArcGIS Server.\", \"source\": {\"defect\": [\"BUG-000158039\"], \"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-54\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-54 Query System for Information\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Esri\", \"product\": \"ArcGIS Enterprise Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.8.1\"}, {\"status\": \"affected\", \"version\": \"10.9.1\"}, {\"status\": \"affected\", \"version\": \"11.0\"}, {\"status\": \"affected\", \"version\": \"11.1\"}], \"platforms\": [\"x86\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \\n\\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(13, 17, 23);\\\"\u003e\\n\\n\u003cp\u003e\u003cstrong\u003e\\n\\nArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \u003cbr\u003e\\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\\n\\n\u003c/strong\u003e\u003cbr\u003e\u003c/p\u003e\\n\\n\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-319\", \"description\": \"CWE-319 Cleartext Transmission of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"shortName\": \"Esri\", \"dateUpdated\": \"2024-10-08T16:33:52.950Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-25848\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-08T16:33:52.950Z\", \"dateReserved\": \"2023-02-15T17:59:31.099Z\", \"assignerOrgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"datePublished\": \"2023-08-25T18:44:14.016Z\", \"assignerShortName\": \"Esri\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-MWG5-7GHX-PWGC

Vulnerability from github – Published: 2023-08-25 21:30 – Updated: 2024-04-04 07:13

Details

The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-25848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-25T19:15:08Z",
    "severity": "MODERATE"
  },
  "details": "\n\n\n\n\nArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \n\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-mwg5-7ghx-pwgc",
  "modified": "2024-04-04T07:13:12Z",
  "published": "2023-08-25T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25848"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2023-25848

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-25848

Aliases

CVE-2023-25848

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-25848",
    "id": "GSD-2023-25848"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-25848"
      ],
      "details": "\n\n\n\n\nArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \n\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\n\n\n\n\n\n\n\n\n",
      "id": "GSD-2023-25848",
      "modified": "2023-12-13T01:20:40.677045Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@esri.com",
        "ID": "CVE-2023-25848",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Server",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "10.8.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "10.9.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "11.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "11.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Esri"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\n\n\n\n\nArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \n\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\n\n\n\n\n\n\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-319",
                "lang": "eng",
                "value": "CWE-319 Cleartext Transmission of Sensitive Information"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/",
            "refsource": "MISC",
            "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
          }
        ]
      },
      "source": {
        "defect": [
          "BUG-000158039"
        ],
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "11.0",
                "versionStartIncluding": "10.8.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@esri.com",
          "ID": "CVE-2023-25848"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "\n\n\n\n\nArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \n\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.\n\n\n\n\n\n\n\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-08-31T14:29Z",
      "publishedDate": "2023-08-25T19:15Z"
    }
  }
}

CNVD-2025-08815

Vulnerability from cnvd - Published: 2025-04-29

Title

Esri ArcGIS Enterprise信息泄露漏洞

Description

Esri ArcGIS Enterprise是美国环境系统研究所（Esri）公司的一套GIS（地理信息系统）的基础软件。 Esri ArcGIS Enterprise存在信息泄露漏洞，该漏洞源于程序对敏感信息保护不足，攻击者可利用该漏洞提交精心设计的查询导致信息泄露。

Severity

中

Patch Name

Esri ArcGIS Enterprise信息泄露漏洞的补丁

Patch Description

Esri ArcGIS Enterprise是美国环境系统研究所（Esri）公司的一套GIS（地理信息系统）的基础软件。 Esri ArcGIS Enterprise存在信息泄露漏洞，该漏洞源于程序对敏感信息保护不足，攻击者可利用该漏洞提交精心设计的查询，导致信息泄露。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-25848

Impacted products

Name
esri ArcGIS Enterprise <=11.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-25848",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-25848"
    }
  },
  "description": "Esri ArcGIS Enterprise\u662f\u7f8e\u56fd\u73af\u5883\u7cfb\u7edf\u7814\u7a76\u6240\uff08Esri\uff09\u516c\u53f8\u7684\u4e00\u5957GIS\uff08\u5730\u7406\u4fe1\u606f\u7cfb\u7edf\uff09\u7684\u57fa\u7840\u8f6f\u4ef6\u3002\n\nEsri ArcGIS Enterprise\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5bf9\u654f\u611f\u4fe1\u606f\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u67e5\u8be2\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-08815",
  "openTime": "2025-04-29",
  "patchDescription": "Esri ArcGIS Enterprise\u662f\u7f8e\u56fd\u73af\u5883\u7cfb\u7edf\u7814\u7a76\u6240\uff08Esri\uff09\u516c\u53f8\u7684\u4e00\u5957GIS\uff08\u5730\u7406\u4fe1\u606f\u7cfb\u7edf\uff09\u7684\u57fa\u7840\u8f6f\u4ef6\u3002\r\n\r\nEsri ArcGIS Enterprise\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5bf9\u654f\u611f\u4fe1\u606f\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u67e5\u8be2\uff0c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Esri ArcGIS Enterprise\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "esri ArcGIS Enterprise \u003c=11.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-25848",
  "serverity": "\u4e2d",
  "submitTime": "2023-08-29",
  "title": "Esri ArcGIS Enterprise\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

WID-SEC-W-2023-2179

Vulnerability from csaf_certbund - Published: 2023-08-27 22:00 - Updated: 2023-08-27 22:00

Summary

ESRI ArcGIS: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

ArcGIS ist ein Geoinformationssystem.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in ESRI ArcGIS ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "ArcGIS ist ein Geoinformationssystem.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in ESRI ArcGIS ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2179 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2179.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2179 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2179"
      },
      {
        "category": "external",
        "summary": "The ArcGIS Security Bulletin vom 2023-08-27",
        "url": "https://github.com/advisories/GHSA-mwg5-7ghx-pwgc"
      },
      {
        "category": "external",
        "summary": "The ArcGIS Security Bulletin vom 2023-08-27",
        "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
      }
    ],
    "source_lang": "en-US",
    "title": "ESRI ArcGIS: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-08-27T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:57:40.751+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2179",
      "initial_release_date": "2023-08-27T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-08-27T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "ESRI ArcGIS Enterprise Server \u003c 11.1",
            "product": {
              "name": "ESRI ArcGIS Enterprise Server \u003c 11.1",
              "product_id": "T029568",
              "product_identification_helper": {
                "cpe": "cpe:/a:esri:arcgis:enterprise_server__11.1"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "ESRI"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-25848",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in ESRI ArcGIS. Dieser Fehler besteht im Enterprise Server aufgrund einer unsachgem\u00e4\u00dfen Neutralisierung von speziellen Elementen, die in einem SQL-Befehl verwendet werden. Ein entfernter, nicht authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2023-08-27T22:00:00.000+00:00",
      "title": "CVE-2023-25848"
    }
  ]
}

FKIE_CVE-2023-25848

Vulnerability from fkie_nvd - Published: 2023-08-25 19:15 - Updated: 2024-11-21 07:50

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	psirt@esri.com	https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	esri	arcgis_server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BEA722C4-4C48-4786-9720-267D7DC95095",
              "versionEndIncluding": "11.0",
              "versionStartIncluding": "10.8.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. \n\nThe information disclosed is limited to a single attribute in a database connection string. No business data is disclosed."
    },
    {
      "lang": "es",
      "value": "Las versiones 11.0 y posteriores de ArcGIS Enterprise Server presentan una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n por la que un atacante remoto no autorizado puede enviar una consulta manipulada que puede dar lugar a un problema de divulgaci\u00f3n de informaci\u00f3n de baja gravedad. \n\nLa informaci\u00f3n revelada se limita a un \u00fanico atributo en una cadena de conexi\u00f3n de base de datos. No se revelan datos comerciales."
    }
  ],
  "id": "CVE-2023-25848",
  "lastModified": "2024-11-21T07:50:18.600",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "psirt@esri.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-08-25T19:15:08.670",
  "references": [
    {
      "source": "psirt@esri.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/announcements/arcgis-server-map-and-feature-service-security-2023-update-1-patch/"
    }
  ],
  "sourceIdentifier": "psirt@esri.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "psirt@esri.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-25848 (GCVE-0-2023-25848)

GHSA-MWG5-7GHX-PWGC

GSD-2023-25848

CNVD-2025-08815

WID-SEC-W-2023-2179

FKIE_CVE-2023-25848

Tags

Sightings

Nomenclature