漏洞
Generating a token using the OAuth2.0 endpoints with a valid Client ID and Client Secret returns a token, which is not valid to access services, which are owned by the same user who created the registered application. This occurs in a federated Portal for ArcGIS and ArcGIS GIS Server environment with a hosting server configured.
| 漏洞 ID 编号 | BUG-000093367 |
|---|---|
| 已提交 | January 7, 2016 |
| 上次修改时间 | June 5, 2024 |
| 适用范围 | ArcGIS API for JavaScript |
| 找到的版本 | 3.14 |
| 操作系统 | Windows OS |
| 操作系统版本 | 7.0 64 Bit |
| 状态 | Will Not Be Addressed |
附加信息
This is intended behavior, it is a limitation of app logins. Tokens obtained by applications can only read public content and services. Although an App login cannot be used with private content, if the goal is to distribute or sell an app to organizations without ArcGIS Online (no named users), the control access to the content may be controlled by using an login mechanism (Identity) to the app. https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/limitations-of-application-authentication/重现步骤
漏洞 ID: BUG-000093367
软件:
- ArcGIS API for JavaScript
当漏洞状态发生变化时获得通知
发现关于本主题的更多内容
搜索相关信息
查找与此主题相关的培训
探索想法并提供反馈
获取来自 ArcGIS 专家的帮助
下载 Esri 支持应用程序