Bug: ArcGIS Server has reflective cross-site scripting and open redirect vulnerabilities
【相关信息】
Article ID: 43037
Bug Id: NIM104624, BUG-000080898, BUG-000081239
Software:
ArcGIS Server (10.0 and prior) 9.2, 9.3, 9.3.1, 10
ArcGIS for Server 10.1, 10.2, 10.2.1, 10.2.2, 10.1 SP1
Platforms: N/A
【BUG描述】
ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.
CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3)
NIM104624 - general XSS vulnerabilities
BUG-000080898 - geocode service XSS vulnerabilities
CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8)
BUG-000081239 - URL redirection to untrusted site (Open-Redirect)
The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.
【BUG原因】
See the Description section, above.
Article ID: 43037
Bug Id: NIM104624, BUG-000080898, BUG-000081239
Software:
ArcGIS Server (10.0 and prior) 9.2, 9.3, 9.3.1, 10
ArcGIS for Server 10.1, 10.2, 10.2.1, 10.2.2, 10.1 SP1
Platforms: N/A
【BUG描述】
ArcGIS for Server versions 9.2 through 10.2.2 have reflective cross-site scripting (XSS) and open redirect vulnerabilities. Esri is planning to release a patch for these low to moderate risk vulnerabilities. Details for these issues are listed below.
CVE-2014-5121 - Cross-Site Scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML (CWE-79, CVSS 4.3)
NIM104624 - general XSS vulnerabilities
BUG-000080898 - geocode service XSS vulnerabilities
CVE-2014-5122 - Open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites (CWE-601, CVSS 5.8)
BUG-000081239 - URL redirection to untrusted site (Open-Redirect)
The risk level of vulnerability for CVE-2014-5122 is reduced with ArcGIS 10.1 SP1 and above because of added filtering protection.
【BUG原因】
See the Description section, above.
1 个回复
EsriSupport
赞同来自:
A patch from Esri is coming soon to address these issues.
Suggested mitigations, which are best practices for secure production systems, include:
Disabling the ArcGIS Server Services Directory
Utilizing web application firewalls / filtering
Esri will provide status updates through this KB.
【创建及修改时间】
Created: 8/27/2014
Last Modified: 9/15/2014
【原文链接】
http://support.esri.com/en/kno ... 43037
要回复问题请先登录或注册