CVE-2024-51962
Published: 03 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-51962, published on 2025-03-03, is a SQL injection vulnerability (CWE-89) in ArcGIS Server. The flaw enables an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user. It has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with no availability impact.
Exploitation requires elevated, non-administrative privileges, restricted to users with advanced application-specific permissions, indicating high privileges are needed. A remote authenticated attacker could leverage this to achieve significant compromise of data integrity and confidentiality through SQL injection.
Esri addresses this vulnerability in its ArcGIS Server Security 2025 Update 1 Patch, detailed in the advisory at https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/. Security practitioners should apply this patch to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing ArcGIS Server directly enables T1190: Exploit Public-Facing Application, allowing a remote authenticated attacker with elevated privileges to compromise data confidentiality and integrity via the EDIT operation.