CVE-2023-25848

Summary

ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue.

The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.

Affected Software

VendorProductVersion RangeStatus
EsriArcGIS Enterprise Server10.8.1affected
EsriArcGIS Enterprise Server10.9.1affected
EsriArcGIS Enterprise Server11.0affected
EsriArcGIS Enterprise Server11.1affected

Weaknesses

  • CWE-319: CWE-319 Cleartext Transmission of Sensitive Information

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References