CVE-2024-38040

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 10.9.1 through 11.2

Description The issue is related to a local file inclusion vulnerability. It may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files. This can be achieved through a specially crafted web page.

Recommendations For Esri Portal for ArcGIS versions 10.9.1 through 11.2, consider restricting access to internal files to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using URLs that could potentially disclose sensitive configuration information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.