A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.
The attacker sends a specially crafted request to a specific ArcGIS Feature Service operation, injecting malicious SQL commands without needing any permissions. The vulnerability has a network vector (AV:N), does not require user interaction or special configuration (AC:L, UI:N), making it trivial to exploit. The payload goes directly to the database engine underlying Enterprise Geodatabase.
Successful exploitation can lead to unauthorized reading, modification, or permanent deletion of data stored in Enterprise Geodatabase, and due to the maximum CVSS score of 10.0 and scope S:C, potentially also to violations of confidentiality, integrity, and availability of resources beyond the ArcGIS server itself.
Security patches for ArcGIS Server Feature Services must be applied immediately, available from the vendor at: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch. Until the patch is installed, it is recommended to restrict network access to ArcGIS Feature Service services only to trusted sources and to increase monitoring of logs for anomalous SQL queries.
Esri ArcGIS Server versions 11.3, 11.4, and 11.5 on Microsoft Windows, Linux, and Kubernetes platforms.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HEsri Arcgis Server
APPEsri11.3 – 11.5Kubernetes
APPKuberneteswszystkie wersjeLinux Kernel
OSLinuxwszystkie wersjeMicrosoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit