CVE-2022-38199 — MEDIUM (6.1)

Vulnerability Description

A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Esri	Arcgis Server	10.7.1

Related Weaknesses (CWE)

CWE-494

References

https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-sVendor Advisory
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-sVendor Advisory

FAQ

What is CVE-2022-38199?

CVE-2022-38199 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to ...

How severe is CVE-2022-38199?

CVE-2022-38199 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-38199?

Check the references section above for vendor advisories and patch information. Affected products include: Esri Arcgis Server.