{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-51962", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2024-11-04T16:54:40.930Z", "datePublished": "2025-03-03T19:58:48.928Z", "dateUpdated": "2026-02-06T06:08:07.932Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "platforms": ["Windows", "Linux"], "product": "ArcGIS Server", "vendor": "Esri", "versions": [{"changes": [{"at": "Security 2025 update 1", "status": "unaffected"}], "lessThanOrEqual": "11.3", "status": "affected", "version": "all", "versionType": "all"}]}], "datePublic": "2025-02-28T20:06:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><div>A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.</div>\n\n</span>"}], "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-02-06T06:08:07.932Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Install ArcGIS Server security 2025 update 1."}], "value": "Install ArcGIS Server security 2025 update 1."}], "source": {"defect": ["BUG-000171444"], "discovery": "UNKNOWN"}, "title": "SQL injection vulnerability in ArcGIS Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T20:35:15.366088Z", "id": "CVE-2024-51962", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:35:40.969Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-51962", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-03T20:35:15.366088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:35:28.404Z"}}], "cna": {"title": "SQL injection vulnerability in ArcGIS Server", "source": {"defect": ["BUG-000171444"], "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"status": "affected", "changes": [{"at": "Security 2025 update 1", "status": "unaffected"}], "version": "all", "versionType": "all", "lessThanOrEqual": "11.3"}], "platforms": ["Windows", "Linux"], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Install ArcGIS Server security 2025 update 1.", "supportingMedia": [{"type": "text/html", "value": "Install ArcGIS Server security 2025 update 1.", "base64": false}]}], "datePublic": "2025-02-28T20:06:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><div>A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.</div>\n\n</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-02-06T06:08:07.932Z"}}}, "cveMetadata": {"cveId": "CVE-2024-51962", "state": "PUBLISHED", "dateUpdated": "2026-02-06T06:08:07.932Z", "dateReserved": "2024-11-04T16:54:40.930Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2025-03-03T19:58:48.928Z", "assignerShortName": "Esri"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F9FCA91-B1DE-4C4E-8E33-C42BEA8F53D0", "versionEndIncluding": "11.3", "versionStartIncluding": "10.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non\u2011administrative privileges. Exploitation is restricted to users with advanced application\u2011specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en ArcGIS Server permite que una operaci\u00f3n EDIT modifique las propiedades de las columnas, lo que permite la ejecuci\u00f3n de una inyecci\u00f3n SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad."}], "id": "CVE-2024-51962", "lastModified": "2026-02-06T07:16:10.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "psirt@esri.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-03T20:15:43.043", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@esri.com", "type": "Secondary"}]}

{}

{}