CVE-2022-38202

HIGH

Esri ArcGIS Server <10.9.1 - Path Traversal

Title source: llm

Description

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).

References (1)

Core 1

Core References

Vendor Advisory

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2022-update-2-patch-is-now-available

Scores

CVSS v3 7.5

EPSS 0.0069

EPSS Percentile 72.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22 CWE-23

Status published

Products (1)

esri/arcgis_server < 10.9.1

Published Dec 28, 2022

Tracked Since Feb 18, 2026