CVE-2024-51958 MEDIUM

CVE-2024-51958: Directory traversal vulnerability in the admin api for service thumbnails

Vendor Esri
Product ArcGIS Server
Weakness CWE-22 · Path traversal
Published March 3, 2025
Last update April 10, 2025

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.  There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.

Key dates

02Disclosure timeline

March 3, 2025 CVE published
April 10, 2025 Record updated