Vulnerability-Lookup

CVE-2024-51962 (GCVE-0-2024-51962)

Vulnerability from cvelistv5 – Published: 2025-03-03 19:58 – Updated: 2026-02-06 06:08

Title

SQL injection vulnerability in ArcGIS Server

Summary

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

Esri

References

URL

Tags

https://www.esri.com/arcgis-blog/products/trust-a…

Impacted products

	Vendor	Product	Version
	Esri	ArcGIS Server	Affected: all , ≤ 11.3 (all)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51962",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-03T20:35:15.366088Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-03T20:35:40.969Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "ArcGIS Server",
          "vendor": "Esri",
          "versions": [
            {
              "changes": [
                {
                  "at": "Security 2025 update 1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "11.3",
              "status": "affected",
              "version": "all",
              "versionType": "all"
            }
          ]
        }
      ],
      "datePublic": "2025-02-28T20:06:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cdiv\u003eA SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.\u003c/div\u003e\n\n\u003c/span\u003e"
            }
          ],
          "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66 SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T06:08:07.932Z",
        "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "shortName": "Esri"
      },
      "references": [
        {
          "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Install ArcGIS Server security 2025 update 1."
            }
          ],
          "value": "Install ArcGIS Server security 2025 update 1."
        }
      ],
      "source": {
        "defect": [
          "BUG-000171444"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "SQL injection vulnerability in ArcGIS Server",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
    "assignerShortName": "Esri",
    "cveId": "CVE-2024-51962",
    "datePublished": "2025-03-03T19:58:48.928Z",
    "dateReserved": "2024-11-04T16:54:40.930Z",
    "dateUpdated": "2026-02-06T06:08:07.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51962\",\"sourceIdentifier\":\"psirt@esri.com\",\"published\":\"2025-03-03T20:15:43.043\",\"lastModified\":\"2026-02-13T19:41:49.147\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de inyecci\u00f3n SQL en ArcGIS Server permite que una operaci\u00f3n EDIT modifique las propiedades de las columnas, lo que permite la ejecuci\u00f3n de una inyecci\u00f3n SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"psirt@esri.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.9.1\",\"versionEndIncluding\":\"11.3\",\"matchCriteriaId\":\"0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0\"}]}]}],\"references\":[{\"url\":\"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/\",\"source\":\"psirt@esri.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51962\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T20:35:15.366088Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T20:35:28.404Z\"}}], \"cna\": {\"title\": \"SQL injection vulnerability in ArcGIS Server\", \"source\": {\"defect\": [\"BUG-000171444\"], \"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-66\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-66 SQL Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Esri\", \"product\": \"ArcGIS Server\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"Security 2025 update 1\", \"status\": \"unaffected\"}], \"version\": \"all\", \"versionType\": \"all\", \"lessThanOrEqual\": \"11.3\"}], \"platforms\": [\"Windows\", \"Linux\"], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Install ArcGIS Server security 2025 update 1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Install ArcGIS Server security 2025 update 1.\", \"base64\": false}]}], \"datePublic\": \"2025-02-28T20:06:00.000Z\", \"references\": [{\"url\": \"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\\u2011administrative privileges. Exploitation is restricted to users with advanced application\\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cdiv\u003eA SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\\u2011administrative privileges. Exploitation is restricted to users with advanced application\\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.\u003c/div\u003e\\n\\n\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"shortName\": \"Esri\", \"dateUpdated\": \"2026-02-06T06:08:07.932Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51962\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-06T06:08:07.932Z\", \"dateReserved\": \"2024-11-04T16:54:40.930Z\", \"assignerOrgId\": \"cedc17bb-4939-4f40-a1f4-30ae8af1094e\", \"datePublished\": \"2025-03-03T19:58:48.928Z\", \"assignerShortName\": \"Esri\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CNVD-2025-05054

Vulnerability from cnvd - Published: 2025-03-12

Title

Esri ArcGIS Server SQL注入漏洞（CNVD-2025-05054）

Description

Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server存在SQL注入漏洞，该漏洞源于应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞查看、添加、修改或删除后端数据库中的信息。

Severity

高

Patch Name

Esri ArcGIS Server SQL注入漏洞（CNVD-2025-05054）的补丁

Patch Description

Esri ArcGIS Server是Esri公司的一个面向Web的可用于提供地理位置服务的企业级软件平台。 Esri ArcGIS Server存在SQL注入漏洞，该漏洞源于应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞查看、添加、修改或删除后端数据库中的信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.esri.com/en-us/patches-updates/2025/arcgis-server-security-2025-update-1

Reference

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/

Impacted products

Name
ESRI ArcGIS Server >=10.9.1，<=11.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-51962",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-51962"
    }
  },
  "description": "Esri ArcGIS Server\u662fEsri\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411Web\u7684\u53ef\u7528\u4e8e\u63d0\u4f9b\u5730\u7406\u4f4d\u7f6e\u670d\u52a1\u7684\u4f01\u4e1a\u7ea7\u8f6f\u4ef6\u5e73\u53f0\u3002\n\nEsri ArcGIS Server\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u3001\u6dfb\u52a0\u3001\u4fee\u6539\u6216\u5220\u9664\u540e\u7aef\u6570\u636e\u5e93\u4e2d\u7684\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.esri.com/en-us/patches-updates/2025/arcgis-server-security-2025-update-1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-05054",
  "openTime": "2025-03-12",
  "patchDescription": "Esri ArcGIS Server\u662fEsri\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411Web\u7684\u53ef\u7528\u4e8e\u63d0\u4f9b\u5730\u7406\u4f4d\u7f6e\u670d\u52a1\u7684\u4f01\u4e1a\u7ea7\u8f6f\u4ef6\u5e73\u53f0\u3002\r\n\r\nEsri ArcGIS Server\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u3001\u6dfb\u52a0\u3001\u4fee\u6539\u6216\u5220\u9664\u540e\u7aef\u6570\u636e\u5e93\u4e2d\u7684\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Esri ArcGIS Server SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2025-05054\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "ESRI ArcGIS Server \u003e=10.9.1\uff0c\u003c=11.3"
  },
  "referenceLink": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-07",
  "title": "Esri ArcGIS Server SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2025-05054\uff09"
}

WID-SEC-W-2025-0476

Vulnerability from csaf_certbund - Published: 2025-03-03 23:00 - Updated: 2025-03-03 23:00

Summary

ESRI ArcGIS: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

ArcGIS ist ein Geoinformationssystem.

Angriff

Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in ESRI ArcGIS ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting durchzuführen, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "ArcGIS ist ein Geoinformationssystem.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in ESRI ArcGIS ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting durchzuf\u00fchren, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0476 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0476.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0476 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0476"
      },
      {
        "category": "external",
        "summary": "ArcGIS Server Security 2025 Update 1 vom 2025-03-03",
        "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
      }
    ],
    "source_lang": "en-US",
    "title": "ESRI ArcGIS: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-03-03T23:00:00.000+00:00",
      "generator": {
        "date": "2025-03-04T10:32:52.564+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0476",
      "initial_release_date": "2025-03-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-03-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Server Security \u003c2025 Update 1",
                "product": {
                  "name": "ESRI ArcGIS Server Security \u003c2025 Update 1",
                  "product_id": "T041548"
                }
              },
              {
                "category": "product_version",
                "name": "Server Security 2025 Update 1",
                "product": {
                  "name": "ESRI ArcGIS Server Security 2025 Update 1",
                  "product_id": "T041548-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:esri:arcgis:server_security__2025_update_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ArcGIS"
          }
        ],
        "category": "vendor",
        "name": "ESRI"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-51962",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51962"
    },
    {
      "cve": "CVE-2024-51954",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51954"
    },
    {
      "cve": "CVE-2024-51961",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51961"
    },
    {
      "cve": "CVE-2024-51958",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51958"
    },
    {
      "cve": "CVE-2024-51966",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51966"
    },
    {
      "cve": "CVE-2024-10904",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-10904"
    },
    {
      "cve": "CVE-2024-51942",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51942"
    },
    {
      "cve": "CVE-2024-51943",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51943"
    },
    {
      "cve": "CVE-2024-51944",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51944"
    },
    {
      "cve": "CVE-2024-51945",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51945"
    },
    {
      "cve": "CVE-2024-51946",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51946"
    },
    {
      "cve": "CVE-2024-51947",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51947"
    },
    {
      "cve": "CVE-2024-51948",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51948"
    },
    {
      "cve": "CVE-2024-51949",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51949"
    },
    {
      "cve": "CVE-2024-51950",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51950"
    },
    {
      "cve": "CVE-2024-51951",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51951"
    },
    {
      "cve": "CVE-2024-51952",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51952"
    },
    {
      "cve": "CVE-2024-51953",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51953"
    },
    {
      "cve": "CVE-2024-51956",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51956"
    },
    {
      "cve": "CVE-2024-51957",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51957"
    },
    {
      "cve": "CVE-2024-51959",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51959"
    },
    {
      "cve": "CVE-2024-51960",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51960"
    },
    {
      "cve": "CVE-2024-51963",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-51963"
    },
    {
      "cve": "CVE-2024-5888",
      "product_status": {
        "known_affected": [
          "T041548"
        ]
      },
      "release_date": "2025-03-03T23:00:00.000+00:00",
      "title": "CVE-2024-5888"
    }
  ]
}

FKIE_CVE-2024-51962

Vulnerability from fkie_nvd - Published: 2025-03-03 20:15 - Updated: 2026-02-13 19:41

Severity ?

8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Summary

References

	URL	Tags
	psirt@esri.com	https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	esri	arcgis_server	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0",
              "versionEndIncluding": "11.3",
              "versionStartIncluding": "10.9.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de inyecci\u00f3n SQL en ArcGIS Server permite que una operaci\u00f3n EDIT modifique las propiedades de las columnas, lo que permite la ejecuci\u00f3n de una inyecci\u00f3n SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad."
    }
  ],
  "id": "CVE-2024-51962",
  "lastModified": "2026-02-13T19:41:49.147",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "psirt@esri.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 5.8,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-03T20:15:43.043",
  "references": [
    {
      "source": "psirt@esri.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"
    }
  ],
  "sourceIdentifier": "psirt@esri.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "psirt@esri.com",
      "type": "Secondary"
    }
  ]
}

GHSA-G274-9873-JCXX

Vulnerability from github – Published: 2025-03-03 21:31 – Updated: 2026-02-06 09:30

Details

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges. There is a high impact to integrity and confidentiality and no impact to availability.

Severity ?

8.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-51962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T20:15:43Z",
    "severity": "HIGH"
  },
  "details": "A SQL injection vulnerability in ArcGIS Server allows an EDIT\u00a0operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.\u00a0 There is a high impact to integrity and confidentiality and no impact to availability.",
  "id": "GHSA-g274-9873-jcxx",
  "modified": "2026-02-06T09:30:28Z",
  "published": "2025-03-03T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51962"
    },
    {
      "type": "WEB",
      "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-51962 (GCVE-0-2024-51962)

CNVD-2025-05054

WID-SEC-W-2025-0476

FKIE_CVE-2024-51962

GHSA-G274-9873-JCXX

Tags

Sightings

Nomenclature