Esri ArcGIS Server SQL Injection Vulnerability Allowing Unauthorized Data Access and Modification

A SQL injection vulnerability has been identified in Esri ArcGIS Server versions 11.3, 11.4, and 11.5, across Windows, Linux, and Kubernetes platforms. This vulnerability enables remote, unauthenticated attackers to execute arbitrary SQL commands through a specific ArcGIS Feature Service operation. Exploitation of this vulnerability could lead to unauthorized access, modification, or deletion of data within the underlying Enterprise Geodatabase.

Impact

Exploitation of this vulnerability could result in unauthorized access to, modification of, or deletion of data in the affected Enterprise Geodatabase.

Remediation

Users are advised to apply the security patch available for ArcGIS Server versions 11.3, 11.4, and 11.5. This patch is non-cumulative, so it is recommended to apply all other applicable security patches for the version first. For ArcGIS Enterprise on Kubernetes 11.3 or 11.4, customers should upgrade to ArcGIS Enterprise 11.5 on Kubernetes. After applying the patch, users can schedule a geodatabase upgrade at a later date.