laptop and a wrench

Bug

In the Portal self-page (Ex: https://test-org.esri.com/portal-WA/sharing/portals/self) there is an exposure vulnerability where the username of the owner of the group under the featured Groups is displayed.

Last Published: February 23, 2016 Portal for ArcGIS
Bug ID Number BUG-000093375
SubmittedJanuary 7, 2016
Last ModifiedFebruary 15, 2023
Applies toPortal for ArcGIS
Version found10.3.1
Operating SystemN/A
StatusWill Not Be Addressed

Additional Information

Portal is a social collaboration site and thus there is a lot of inter-user interaction. In order for a user to know who they are interacting with or what they are using, it is necessary to know who the person is or who owns the item. Portal is designed also for anonymous user usage, in fact that is quite common as organizations may not want to purchase tens of thousands of named users. It is also necessary for anonymous users to know whether they trust something or someone. As a result, the behavior described is designed into the software and is fundamental to its usage. It is possible to know who owns any group you have access to, not just featured items. In fact, if we changed it on the self-call, it is be possible to determine the owner of the group through another API. It is included in the self-call for performance/efficiency reasons and does not reduce the security.

Workaround

Possible workaround is to remove all groups from the Featured Groups section in the Portal Groups section. As documented, create a new account. Promote it to administrator. Disable initial administrator account.

Steps to Reproduce

Bug ID: BUG-000093375

Software:

  • Portal for ArcGIS

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Discover more on this topic