CVE-2024-38040 Overview
CVE-2024-38040 is a local file inclusion (LFI) vulnerability in Esri Portal for ArcGIS version 11.2 and earlier. A remote, unauthenticated attacker can craft a URL that forces the application to read arbitrary files from the server's filesystem. Successful exploitation discloses sensitive configuration data, internal application files, and other resources accessible to the Portal for ArcGIS process.
The weakness is tracked under CWE-73: External Control of File Name or Path. Esri addressed the issue in the Portal for ArcGIS Security 2024 Update 2 release.
Critical Impact
Unauthenticated attackers can read internal files from vulnerable Esri Portal for ArcGIS deployments over the network, exposing configuration and credentials that enable follow-on attacks.
Affected Products
- Esri Portal for ArcGIS 10.9.1
- Esri Portal for ArcGIS 11.0 and 11.1
- Esri Portal for ArcGIS 11.2
Discovery Timeline
- 2024-10-04 - CVE-2024-38040 published to the National Vulnerability Database
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-38040
Vulnerability Analysis
The flaw resides in how Portal for ArcGIS resolves file paths provided through HTTP request parameters. The application accepts attacker-influenced path values and uses them to construct filesystem references without sufficient validation against a safe base directory. As a result, a crafted URL can reference files outside the intended web-accessible content.
Because Portal for ArcGIS exposes its REST endpoints to network clients, the exploit requires no credentials and no user interaction. The attacker submits a single HTTP request and receives the contents of internal files in the response.
The disclosed material can include configuration files, license information, deployment secrets, tokens, and other resources readable by the service account running the Portal process. These artifacts frequently provide the pivot needed to attack federated ArcGIS Server instances, identity stores, or backing databases.
Root Cause
The root cause is external control of a file name or path [CWE-73]. The vulnerable endpoint does not canonicalize input or enforce an allow-list of permitted resources before opening a file. Attacker-supplied traversal sequences therefore reach the underlying file API.
Attack Vector
The attack vector is network-based. An adversary issues an HTTP request to a Portal for ArcGIS endpoint with a manipulated parameter that references an internal file. The server reads the file and returns its contents in the response body, leaking data the attacker would not otherwise be able to access. No authentication, privileges, or user interaction are required.
The vulnerability manifests in Portal's request handling layer. Public technical details of the affected endpoint and parameter have not been released by Esri. See the Esri Security Update Announcement for vendor-provided context.
Detection Methods for CVE-2024-38040
Indicators of Compromise
- HTTP requests to Portal for ArcGIS endpoints containing path traversal sequences such as ../, ..\, encoded variants like %2e%2e%2f, or absolute filesystem paths in query parameters.
- Web server access logs showing unauthenticated requests that return unusually large responses or non-standard content types from Portal endpoints.
- Outbound reconnaissance from internet scanners probing /arcgis/portaladmin and related Portal URIs with file-reference parameters.
Detection Strategies
- Inspect Portal for ArcGIS web logs (portal.log, IIS or Tomcat access logs) for parameters containing .., URL-encoded traversal patterns, or references to sensitive files such as web.config, portal-config.json, hostname.properties, and /etc/passwd.
- Deploy WAF or reverse-proxy signatures that flag path traversal payloads against ArcGIS URI patterns.
- Correlate file-read attempts with subsequent authentication or token-issuance activity that may indicate use of leaked secrets.
Monitoring Recommendations
- Forward Portal for ArcGIS, IIS, and Tomcat logs to a centralized analytics platform and alert on traversal patterns and anomalous response sizes.
- Baseline normal Portal REST traffic so unauthenticated requests to administrative endpoints stand out.
- Monitor the Portal service account for unexpected file access outside the standard ArcGIS content directories.
How to Mitigate CVE-2024-38040
Immediate Actions Required
- Apply the Portal for ArcGIS Security 2024 Update 2 patch to all affected deployments running 10.9.1, 11.0, 11.1, or 11.2.
- Restrict network exposure of Portal for ArcGIS so administrative endpoints are reachable only from trusted networks or VPN.
- Rotate any secrets, tokens, or credentials stored in Portal configuration files that may have been read prior to patching.
Patch Information
Esri released a security update that resolves CVE-2024-38040 in Portal for ArcGIS. Administrators should install the patch documented in the Esri Security Update Announcement and verify the patch level through the Portal administrative interface after installation.
Workarounds
- Place Portal for ArcGIS behind a web application firewall configured to block path traversal sequences and absolute paths in query parameters.
- Limit inbound access to Portal endpoints using network ACLs, reverse-proxy authentication, or IP allow-listing until the patch is deployed.
- Audit the Portal service account permissions to minimize the set of files readable by the process, reducing the impact of any disclosure.
# Example reverse-proxy rule to block traversal payloads (illustrative)
location /arcgis/ {
if ($args ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|/%2e%2e)") {
return 403;
}
proxy_pass https://portal-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
