CVE-2022-38202
published 2022-12-28CVE-2022-38202: There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.33%
67.6th percentile
There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esri | arcgis_server | <= 10.9.1 | — |
| esri | arcgis_server | 11.0 – all | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ESRI ArcGIS up to 10.9.1 path traversal (EUVD-2022-40795)
vuldb·2026-06-22·CVSS 7.5
CVE-2022-38202 [HIGH] ESRI ArcGIS up to 10.9.1 path traversal (EUVD-2022-40795)
A vulnerability has been found in ESRI ArcGIS up to 10.9.1 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to relative path traversal.
This vulnerability is traded as CVE-2022-38202. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
GHSA-653f-v7gf-v92q: There is a path traversal vulnerability in Esri ArcGIS Server versions 10
ghsa_unreviewed·2022-12-28
CVE-2022-38202 [HIGH] CWE-22 GHSA-653f-v7gf-v92q: There is a path traversal vulnerability in Esri ArcGIS Server versions 10
There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-28
Published