CVE-2024-51961

There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-03 20:15

Updated : 2025-04-10 20:15

NVD link : CVE-2024-51961

Mitre link : CVE-2024-51961

CVE.ORG link : CVE-2024-51961

JSON object : View

Products Affected

esri

arcgis_server

CWE

CWE-73

External Control of File Name or Path

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

{"id": "CVE-2024-51961", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-03T20:15:42.863", "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-73"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-610"}]}], "descriptions": [{"lang": "en", "value": "There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.\u00a0 Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability."}, {"lang": "es", "value": "Existe una vulnerabilidad de inclusi\u00f3n de archivos locales en ArcGIS Server 10.9.1 a 11.3 que puede permitir que un atacante remoto no autenticado manipule una URL que podr\u00eda revelar informaci\u00f3n de configuraci\u00f3n confidencial al leer archivos internos del servidor remoto. Debido a la naturaleza de los archivos a los que se puede acceder en esta vulnerabilidad, el impacto en la confidencialidad es alto y no hay impacto en la integridad ni en la disponibilidad."}], "lastModified": "2025-04-10T20:15:21.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0", "versionEndIncluding": "11.3", "versionStartIncluding": "10.9.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}