CVE-2024-51962

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-51962
A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

8.7 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
History

06 Feb 2026, 07:16

Type Values Removed Values Added
Summary (en) A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify Column properties allowing for the execution of a SQL Injection by a remote authenticated user with elevated (non admin) privileges.  There is a high impact to integrity and confidentiality and no impact to availability. (en) A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

06 Mar 2025, 14:23

Type Values Removed Values Added
References () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - () https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-1-patch/ - Vendor Advisory
Summary
  • (es) Una vulnerabilidad de inyección SQL en ArcGIS Server permite que una operación EDIT modifique las propiedades de las columnas, lo que permite la ejecución de una inyección SQL por parte de un usuario autenticado remoto con privilegios elevados (no administrativos). Esto tiene un gran impacto en la integridad y la confidencialidad, pero no en la disponibilidad.
CPE cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
First Time Esri arcgis Server
Esri

03 Mar 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-03 20:15

Updated : 2026-02-13 19:41

NVD link : CVE-2024-51962

Mitre link : CVE-2024-51962

CVE.ORG link : CVE-2024-51962

JSON object : View

Products Affected

esri

  • arcgis_server
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')