CVE-2025-67707

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67707

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67707.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67707

Published

2025-12-31T23:15:41.833Z

Modified

2026-03-13T03:42:12.641821Z

Severity

5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories.

However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data.

Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67707.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.5"
            }
        ]
    }
]