Skip to main content

Portal For Arcgis CVE-2022-38212

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2022-12-29 psirt@esri.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 29, 2022 - 20:15 nvd
HIGH 7.5

DescriptionNVD

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203.

AnalysisAI

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38203. Affected products include: Esri Portal For Arcgis.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2024-25693 CRITICAL
9.9 Apr 04

There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Rated critical severity (CVSS 9.9), this vulnerabi

CVE-2026-13019 CRITICAL
9.8 Jul 07

Missing authentication in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes deployments) exposes a

CVE-2026-13020 CRITICAL
9.8 Jul 07

Account takeover in Esri Portal for ArcGIS 12.1 and earlier (Windows, Linux, and Kubernetes) stems from a weak forgotten

CVE-2025-2538 CRITICAL
9.8 Mar 20

A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 an

CVE-2022-38193 CRITICAL
9.6 Aug 16

There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, una

CVE-2023-25832 HIGH
8.8 May 09

There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an

CVE-2021-29108 HIGH
8.8 Oct 01

There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 a

CVE-2024-25699 HIGH
8.5 Apr 04

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS version

CVE-2023-25837 HIGH
8.4 Jul 21

There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may all

CVE-2023-25835 HIGH
8.4 Jul 21

There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that

CVE-2024-38040 HIGH
7.5 Oct 04

There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthen

CVE-2022-38211 HIGH
7.5 Dec 29

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9

Share

CVE-2022-38212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy