Is This Content Helpful?
We're glad to know this article was helpful.
Esri has released a security patch to address serious vulnerabilities in the Web Adaptor for IIS. This patch should be applied immediately. The Web Adaptor for the Java platform is not affected by these vulnerabilities.
NIM102891 – ArcGIS Web Adaptor on IIS does not enforce authorization on a restricted URL - (CWE-425)
Esri requests that customers install Security Patch - ArcGIS Web Adaptor for IIS (10.1 SP1 to 10.2.2) at the earliest opportunity.
Esri recommends minimizing the attack surface of any software deployments. Administrative interfaces such as ArcGIS Manager and the Web Adaptor configuration page should not be exposed for general Internet access.
CVSS base scores do not include temporal or environmental organization-specific factors for calculation, and the scores above align with those of other similar historical vulnerabilities.