CVE-2024-25699

Severity CVSS v4.0:

Pending analysis

Type:

CWE-287 Authentication Issues

Publication date:

04/04/2024

Last modified:

13/02/2026

Description

There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with low‑privileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.50 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

8.50

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:esri:portal_for_arcgis::::::::	10.8.1 (including)	11.2 (including)
cpe:2.3:o:linux:linux_kernel:-:::::::*
cpe:2.3:o:microsoft:windows:-:::::::*
cpe:2.3:a:esri:arcgis_enterprise::::::::		11.1 (including)

To consult the complete list of CPE names with products and versions, see this page

CVE-2024-25699

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools