{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-51958","assignerOrgId":"cedc17bb-4939-4f40-a1f4-30ae8af1094e","state":"PUBLISHED","assignerShortName":"Esri","dateReserved":"2024-11-04T16:54:39.392Z","datePublished":"2025-03-03T19:57:48.374Z","dateUpdated":"2025-04-10T19:26:38.749Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows","Linux"],"product":"ArcGIS Server","vendor":"Esri","versions":[{"lessThanOrEqual":"11.3","status":"affected","version":"all","versionType":"all"}]}],"datePublic":"2025-02-28T20:39:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below.  Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.  There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.  "}],"value":"There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below.  Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.  There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality."}],"impacts":[{"capecId":"CAPEC-126","descriptions":[{"lang":"en","value":"CAPEC-126 Path Traversal"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"cedc17bb-4939-4f40-a1f4-30ae8af1094e","shortName":"Esri","dateUpdated":"2025-04-10T19:26:38.749Z"},"references":[{"url":"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}],"source":{"defect":["BUG-000172290"],"discovery":"UNKNOWN"},"title":"Directory traversal vulnerability in the admin api for service thumbnails","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-03-03T20:52:25.307341Z","id":"CVE-2024-51958","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-03-03T20:52:36.001Z"}}]}}