lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <kBEaAkeW-pKHoTlgW9Q2IO-Kxa8Hwn9BTS0tkPo14Q5mdIllu8-MGKyeg2TV6LFsNWoZquESycvYfrf7VTdl-JlY2Kj-mZtjyfYwTd2tvxA=@vulsec.org>
Date: Wed, 14 May 2025 08:32:41 +0000
From: CVE - VULSec Labs via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based
	Authentication - CVE-2025-0020 VSL-2025-21


=== SUMMARY ===
Vendor: ArcGIS Product: ArcGIS Subject: ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based Authentication - CVE-2025-0020 VSL-2025-21

CVSS: 7.9 (high) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber
Credit: Erez Kalman
Author: VULSec Labs
Date: 2025-05-14


=== DETAILS ===


CWE/CAPEC: Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation.


The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design, but undocumented) functionality enables a requestor (referred to as client in RFC 6749) to request an, undocumented, custom token expiration from ArcGIS (referred to as authorization server in RFC 6749).


=== LINKS ===


https://www.vulsec.org/advisories

PoC (/attached)
https://www.cve.org/cverecord?id=CVE-2025-0020

https://www.rfc-editor.org/rfc/rfc6749

https://developers.arcgis.com/documentation/security-and-authentication/
Download attachment "standard-valid-request.png" of type "image/png" (278863 bytes)

Download attachment "standard-invalid-request.png" of type "image/png" (233240 bytes)

Download attachment "publickey - cve@...sec.org - 0x04D8BEEC.asc" of type "application/pgp-keys" (633 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (344 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists