CVE-2024-51954

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-51954
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.

7.1 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
OR cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

10 Apr 2025, 20:15

Type Values Removed Values Added
CWE CWE-284
NVD-CWE-noinfo
Summary There is an improper access control issue in ArcGIS Server versions 10.9.1 through 11.3 on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software. There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated) ArcGIS Server instance.  If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.

06 Mar 2025, 14:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.5 		v2 : unknown
v3 : 7.1
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - Vendor Advisory
CPE cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
First Time Esri arcgis Server
Esri
Linux
Microsoft windows
Microsoft
Linux linux Kernel
CWE NVD-CWE-noinfo

03 Mar 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-03 20:15

Updated : 2025-04-10 20:15

NVD link : CVE-2024-51954

Mitre link : CVE-2024-51954

JSON object : View

Products Affected

linux

  • linux_kernel

esri

  • arcgis_server

microsoft

  • windows
CWE

No CWE.