{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-51962", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2024-11-04T16:54:40.930Z", "datePublished": "2025-03-03T19:58:48.928Z", "dateUpdated": "2025-04-10T19:20:17.430Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "platforms": ["Windows", "Linux"], "product": "ArcGIS Server", "vendor": "Esri", "versions": [{"changes": [{"at": "Security 2025 update 1", "status": "unaffected"}], "lessThanOrEqual": "11.3", "status": "affected", "version": "all", "versionType": "all"}]}], "datePublic": "2025-02-28T20:06:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A SQL injection vulnerability in ArcGIS Server allows an EDIT&nbsp;operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.&nbsp; There is a high impact to integrity and confidentiality and no impact to availability.&nbsp;</span>"}], "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT\u00a0operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.\u00a0 There is a high impact to integrity and confidentiality and no impact to availability."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2025-04-10T19:20:17.430Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Install ArcGIS Server security 2025 update 1."}], "value": "Install ArcGIS Server security 2025 update 1."}], "source": {"defect": ["BUG-000171444"], "discovery": "UNKNOWN"}, "title": "SQL injection vulnerability in ArcGIS Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T20:35:15.366088Z", "id": "CVE-2024-51962", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:35:40.969Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-51962", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-03T20:35:15.366088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:35:28.404Z"}}], "cna": {"title": "SQL injection vulnerability in ArcGIS Server", "source": {"defect": ["BUG-000171444"], "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"status": "affected", "changes": [{"at": "Security 2025 update 1", "status": "unaffected"}], "version": "all", "versionType": "all", "lessThanOrEqual": "11.3"}], "platforms": ["Windows", "Linux"], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Install ArcGIS Server security 2025 update 1.", "supportingMedia": [{"type": "text/html", "value": "Install ArcGIS Server security 2025 update 1.", "base64": false}]}], "datePublic": "2025-02-28T20:06:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT\u00a0operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.\u00a0 There is a high impact to integrity and confidentiality and no impact to availability.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A SQL injection vulnerability in ArcGIS Server allows an EDIT&nbsp;operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.&nbsp; There is a high impact to integrity and confidentiality and no impact to availability.&nbsp;</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2025-04-10T19:20:17.430Z"}}}, "cveMetadata": {"cveId": "CVE-2024-51962", "state": "PUBLISHED", "dateUpdated": "2025-04-10T19:20:17.430Z", "dateReserved": "2024-11-04T16:54:40.930Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2025-03-03T19:58:48.928Z", "assignerShortName": "Esri"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0", "versionEndIncluding": "11.3", "versionStartIncluding": "10.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT\u00a0operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.\u00a0 There is a high impact to integrity and confidentiality and no impact to availability."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en ArcGIS Server permite que una operaci\u00f3n EDIT modifique las propiedades de las columnas, lo que permite la ejecuci\u00f3n de una inyecci\u00f3n SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad."}], "id": "CVE-2024-51962", "lastModified": "2025-03-06T14:23:26.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "psirt@esri.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-03T20:15:43.043", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@esri.com", "type": "Primary"}]}

{}