lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <kBEaAkeW-pKHoTlgW9Q2IO-Kxa8Hwn9BTS0tkPo14Q5mdIllu8-MGKyeg2TV6LFsNWoZquESycvYfrf7VTdl-JlY2Kj-mZtjyfYwTd2tvxA=@vulsec.org> Date: Wed, 14 May 2025 08:32:41 +0000 From: CVE - VULSec Labs via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based Authentication - CVE-2025-0020 VSL-2025-21 === SUMMARY === Vendor: ArcGIS Product: ArcGIS Subject: ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based Authentication - CVE-2025-0020 VSL-2025-21 CVSS: 7.9 (high) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber Credit: Erez Kalman Author: VULSec Labs Date: 2025-05-14 === DETAILS === CWE/CAPEC: Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation. The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design, but undocumented) functionality enables a requestor (referred to as client in RFC 6749) to request an, undocumented, custom token expiration from ArcGIS (referred to as authorization server in RFC 6749). === LINKS === https://www.vulsec.org/advisories PoC (/attached) https://www.cve.org/cverecord?id=CVE-2025-0020 https://www.rfc-editor.org/rfc/rfc6749 https://developers.arcgis.com/documentation/security-and-authentication/ Download attachment "standard-valid-request.png" of type "image/png" (278863 bytes) Download attachment "standard-invalid-request.png" of type "image/png" (233240 bytes) Download attachment "publickey - cve@...sec.org - 0x04D8BEEC.asc" of type "application/pgp-keys" (633 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (344 bytes) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists