CVE-2024-51966
Directory traversal vulnerability in ArcGIS Server
Severity Score
4.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
There is a path traversal vulnerability in ESRI ArcGIS Server versions 10.9.1 thru 11.3. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-11-04 CVE Reserved
- 2025-03-03 CVE Published
- 2025-03-03 CVE Updated
- 2025-04-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
- CAPEC-126: Path Traversal
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Esri Search vendor "Esri" | ArcGIS Server Search vendor "Esri" for product "ArcGIS Server" | 10.9.1 Search vendor "Esri" for product "ArcGIS Server" and version "10.9.1" | en |
Affected
| ||||||
| Esri Search vendor "Esri" | ArcGIS Server Search vendor "Esri" for product "ArcGIS Server" | 11.1 Search vendor "Esri" for product "ArcGIS Server" and version "11.1" | en |
Affected
| ||||||
| Esri Search vendor "Esri" | ArcGIS Server Search vendor "Esri" for product "ArcGIS Server" | 11.2 Search vendor "Esri" for product "ArcGIS Server" and version "11.2" | en |
Affected
| ||||||
| Esri Search vendor "Esri" | ArcGIS Server Search vendor "Esri" for product "ArcGIS Server" | 11.3 Search vendor "Esri" for product "ArcGIS Server" and version "11.3" | en |
Affected
| ||||||