Bug
There is an improper access control issue in ArcGIS Server.
| Bug ID Number | BUG-000113291 |
|---|---|
| Submitted | April 17, 2018 |
| Last Modified | May 31, 2023 |
| Applies to | ArcGIS GIS Server |
| Version found | 10.5.1 |
| Operating System | Windows OS |
| Operating System Version | 2012 R2 |
| Version Fixed | 10.6.1 |
| Status | Fixed |
Description
Esri has discovered a critical security vulnerability in ArcGIS Server when specially crafted requests are sent to it. This causes improper access control validation to services, which results in secured services and their data being exposed to users who should not otherwise have access.
This issue is present in all currently supported versions of ArcGIS Server. Esri has released patches for versions 10.2.1 through 10.6. The issue has been fixed in ArcGIS Server 10.6.1.
Cause
This is a known issue which has been logged by Esri as a defect, BUG-000113291.
Workaround
Esri strongly recommends installing the relevant patch at the earliest possible opportunity.
All patches can be downloaded from the Esri Support website: ArcGIS Server Improper Access Control Security Patch
Please note that the ArcGIS Server account will be restarted while the patch is applied.
For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support.
Steps to Reproduce
Bug ID: BUG-000113291
Software:
- ArcGIS GIS Server
Get help from ArcGIS experts
Download the Esri Support App
Related Information
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback