CVE-2022-38203 HIGH

CVE-2022-38203: The allowedProxyHosts property is not fully honored in ArcGIS Enterprise (10.8.1 and 10.7.1 only)

Vendor Esri
Product Portal for ArcGIS
Weakness CWE-918 · SSRF
Published December 30, 2022
Last update April 10, 2025
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.

Key dates

02Disclosure timeline

December 30, 2022 CVE published
April 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-46511 WordPress BeerXML Shortcode plugin <= 0.7.1 - Server Side Request Forgery (SSRF) Vulnerability CVE-2026-27797 Homarr: Unauthenticated SSRF in rssFeed.ts CVE-2026-30834 PinchTab: SSRF with Full Response Exfiltration via Download Handler CVE-2021-25972 Camaleon CMS - Server-Side Request Forgery (SSRF) in Media Upload Feature CVE-2025-12800 WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.5 - Authenticated (Administrator+) Server-Side Request Forgery