CVE-2022-38203
The allowedProxyHosts property is not fully honored in ArcGIS Enterprise (10.8.1 and 10.7.1 only)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.
Las protecciones contra posibles vulnerabilidades de Server-Side Request Forgery (SSRF) en Esri Portal for ArcGIS versiones 10.8.1 e inferiores no se respetaron en su totalidad y pueden permitir que un atacante remoto y no autenticado falsifique solicitudes a URL arbitrarias desde el sistema, lo que podría provocar una enumeración de la red. o lectura desde hosts dentro del perímetro de la red, un problema diferente a CVE-2022-38211 y CVE-2022-38212.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-08-12 CVE Reserved
- 2022-12-29 CVE Published
- 2024-08-05 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Esri Search vendor "Esri" | Portal For Arcgis Search vendor "Esri" for product "Portal For Arcgis" | <= 10.8.1 Search vendor "Esri" for product "Portal For Arcgis" and version " <= 10.8.1" | - |
Affected
| ||||||