Esri has discovered a critical security vulnerability in Portal for ArcGIS when specially constructed steps are taken by authenticated users. This results in a privilege escalation issue where the user can elevate themselves to become administrators of the portal.
This issue is present in all supported versions of Portal for ArcGIS, on both Windows and Linux operating systems. Esri has released patches for all versions of Portal for ArcGIS, from version 10.3 through 10.6.1.
This is a known issue which has been logged by Esri as a defect, BUG-000117564.
Esri strongly recommends installing the relevant patch at the earliest possible opportunity.
All patches can be downloaded from the Esri Support Website:
For users of versions 10.6.1, 10.5.1, 10.4.1, and 10.3.1, the Portal for ArcGIS Security 2018 Update 3 Patch is available. This includes a fix for this issue, along with other recommended fixes for security issues.
For users of versions 10.6, 10.5, 10.4, and 10.3, the Portal for ArcGIS Privilege Escalation Security Patch is available which contains a fix for this issue.
For any questions about this patch and resolving the security vulnerability, please contact Esri Technical Support.