Vulnerability Details : CVE-2023-25834
Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.
Published
2023-05-09 16:15:14
Updated
2023-05-22 22:15:10
Exploit prediction scoring system (EPSS) score for CVE-2023-25834
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 26 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2023-25834
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST |
|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
Environmental Systems Research Institute, Inc. |
CWE ids for CVE-2023-25834
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: psirt@esri.com (Primary)
References for CVE-2023-25834
-
https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095
Portal for ArcGIS Security 2023 Update 1 PatchPatch;Release Notes
-
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/
Portal for ArcGIS Security 2023 Update 1 Patch is Now AvailablePatch;Vendor Advisory
Products affected by CVE-2023-25834
- cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*