CVE-2024-51954

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-51954
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.

8.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
OR cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

10 Apr 2025, 20:15

Type Values Removed Values Added
Summary (en) There is an improper access control issue in ArcGIS Server versions 10.9.1 through 11.3 on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software. (en) There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.

06 Mar 2025, 14:23

Type Values Removed Values Added
First Time Esri
Linux linux Kernel
Linux
Esri arcgis Server
Microsoft
Microsoft windows
Summary
  • (es) Existe un problema de control de acceso inadecuado en las versiones 10.9.1 a 11.3 de ArcGIS Server en Windows y Linux que, en circunstancias excepcionales, podría permitir que un atacante remoto autenticado con pocos privilegios acceda a servicios seguros publicados en una instancia independiente (no federada) de ArcGIS Server. Si tiene éxito, esta vulneración tendría un gran impacto en la confidencialidad, un bajo impacto en la integridad y ningún impacto en la disponibilidad del software.
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - Vendor Advisory
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo

03 Mar 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-03 20:15

Updated : 2025-04-10 20:15

NVD link : CVE-2024-51954

Mitre link : CVE-2024-51954

CVE.ORG link : CVE-2024-51954

JSON object : View

Products Affected

esri

  • arcgis_server

linux

  • linux_kernel

microsoft

  • windows
CWE
CWE-284

Improper Access Control

NVD-CWE-noinfo