{"api_version":"1","generated_at":"2026-04-23T09:53:12+00:00","cve":"CVE-2023-25834","urls":{"html":"https://cve.report/CVE-2023-25834","api":"https://cve.report/api/cve/CVE-2023-25834.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-25834","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-25834"},"summary":{"title":"CVE-2023-25834","description":"Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access.","state":"PUBLIC","assigner":"psirt@esri.com","published_at":"2023-05-09 16:15:00","updated_at":"2023-05-22 22:15:00"},"problem_types":["CWE-269"],"metrics":[],"references":[{"url":"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/","name":"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/","refsource":"MISC","tags":[],"title":"Portal for ArcGIS Security 2023 Update 1 Patch is Now Available","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095","name":"https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095","refsource":"MISC","tags":[],"title":"Portal for ArcGIS Security 2023 Update 1 Patch","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25834","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25834","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"25834","vulnerable":"1","versionEndIncluding":"10.9.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"esri","cpe5":"portal_for_arcgis","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-25834","ASSIGNER":"psirt@esri.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow users to access content that they are no longer privileged to access."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-269 Improper Privilege Management","cweId":"CWE-269"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Esri","product":{"product_data":[{"product_name":"Portal for ArcGIS","version":{"version_data":[{"version_affected":"<=","version_name":"10.7.1","version_value":"10.9.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/","refsource":"MISC","name":"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/"},{"url":"https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095","refsource":"MISC","name":"https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"defect":["CVE-2023-25834"],"discovery":"INTERNAL"},"solution":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Install P<a target=\"_blank\" rel=\"nofollow\" href=\"https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/\">ortal for ArcGIS Security 2023 Update 1</a><br>"}],"value":"Install P ortal for ArcGIS Security 2023 Update 1 https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/ \n"}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.6,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"None","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-05-09 16:15:00","lastModifiedDate":"2023-05-22 22:15:00","problem_types":["CWE-269"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.5}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:esri:portal_for_arcgis:*:*:*:*:*:*:*:*","versionStartIncluding":"10.7.1","versionEndIncluding":"10.9.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}