CVE-2025-67706

Опубликовано: 31 дек. 2025

Источник: nvd

CVSS3: 5.6

CVSS3: 9.8

EPSS Низкий

Описание

ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files, which allows remote attackers to upload arbitrary files. However, exploitation is constrained by server-side controls that prevent execution of uploaded content and do not allow modification of existing application files or system configurations. As a result, successful exploitation would have a low impact on confidentiality, integrity, and availability, and would not enable service disruption, privilege escalation, or unauthorized access to sensitive data.

Ссылки

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

Версия до 11.5 (включая)

Одно из

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

EPSS

Процентиль: 59%

0.00375

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-mvxv-qjhv-59fg

CVSS3: 5.6

github

около 1 месяца назад

ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files.

EPSS

Процентиль: 59%

0.00375

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-434