gsd-2023-25834
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-25834",
"id": "GSD-2023-25834"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-25834"
],
"details": "Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.",
"id": "GSD-2023-25834",
"modified": "2023-12-13T01:20:40.110053Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"ID": "CVE-2023-25834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Portal for ArcGIS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "10.7.1",
"version_value": "10.9.1"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access."
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-269",
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/",
"refsource": "MISC",
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/"
},
{
"name": "https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095",
"refsource": "MISC",
"url": "https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095"
}
]
},
"solution": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install P\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/\"\u003eortal for ArcGIS Security 2023 Update 1\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "Install P ortal for ArcGIS Security 2023 Update 1 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/ \n"
}
],
"source": {
"defect": [
"CVE-2023-25834"
],
"discovery": "INTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.9.1",
"versionStartIncluding": "10.7.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"ID": "CVE-2023-25834"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095",
"refsource": "MISC",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095"
},
{
"name": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5
}
},
"lastModifiedDate": "2023-05-22T22:15Z",
"publishedDate": "2023-05-09T16:15Z"
}
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.