CVE-2022-38196 - Vulnerability Details - OpenCVE

Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Esri	Arcgis Server

Configuration 1 [-]

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch

History

Thu, 10 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Esri

Published: 2022-10-25T16:32:04.168Z

Updated: 2025-04-10T14:55:48.363Z

Reserved: 2022-08-12T00:00:00.000Z

Link: CVE-2022-38196

Vulnrichment

Updated: 2024-08-03T10:45:52.994Z

NVD

Status : Modified

Published: 2022-10-25T17:15:55.313

Modified: 2024-11-21T07:15:58.863

Link: CVE-2022-38196

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38196", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "assignerShortName": "Esri", "datePublished": "2022-10-25T16:32:04.168Z", "dateUpdated": "2025-04-10T14:55:48.363Z", "dateReserved": "2022-08-12T00:00:00.000Z"}, "containers": {"cna": {"title": "BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability", "datePublic": "2022-08-17T00:00:00.000Z", "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2022-10-25T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory."}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"version": "All", "status": "affected", "lessThanOrEqual": "10.9.1", "versionType": "custom"}], "platforms": ["x64"]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}], "credits": [{"lang": "en", "value": "Credit: Hussein Bachmad"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "source": {"defect": ["BUG-000150537"], "discovery": "UNKNOWN"}, "solutions": [{"lang": "en", "value": "Install ArcGIS Server Security 2022 Update 1 Patch: https://support.esri.com/en/download/8043"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.994Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T14:49:45.769228Z", "id": "CVE-2022-38196", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:55:48.363Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.994Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-38196", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-10T14:49:45.769228Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:49:49.047Z"}}], "cna": {"title": "BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability", "source": {"defect": ["BUG-000150537"], "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Credit: Hussein Bachmad"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"status": "affected", "version": "All", "versionType": "custom", "lessThanOrEqual": "10.9.1"}], "platforms": ["x64"]}], "solutions": [{"lang": "en", "value": "Install ArcGIS Server Security 2022 Update 1 Patch: https://support.esri.com/en/download/8043"}], "datePublic": "2022-08-17T00:00:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "descriptions": [{"lang": "en", "value": "Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2022-10-25T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-38196", "state": "PUBLISHED", "dateUpdated": "2025-04-10T14:55:48.363Z", "dateReserved": "2022-08-12T00:00:00.000Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2022-10-25T16:32:04.168Z", "assignerShortName": "Esri"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AFAD746-E495-4E4C-9256-17C1A06ADEB9", "versionEndIncluding": "10.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory."}, {"lang": "es", "value": "Esri ArcGIS Server versiones 10.9.1 y anteriores, presentan una vulnerabilidad de salto de ruta que puede resultar en una denegaci\u00f3n de servicio al permitir que un atacante remoto y autenticado sobrescriba el directorio interno de ArcGIS Server"}], "id": "CVE-2022-38196", "lastModified": "2024-11-21T07:15:58.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "psirt@esri.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-25T17:15:55.313", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-server-security-2022-update-1-patch"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "psirt@esri.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}