Portal for ArcGIS 中存在服务器端请求伪造 (SSRF) 漏洞

攻击者利用此 SSRF 漏洞可以发起对内部资源的请求，这些资源通常对外部网络不可见。这可能导致攻击者访问内部 API、数据库或其他敏感服务。攻击者还可以利用此漏洞读取本地文件，或者尝试访问其他内部系统，从而实现横向移动。由于该漏洞无需身份验证，攻击者可以轻易地利用它，造成广泛的影响。如果 Portal for ArcGIS 用于存储或处理敏感数据，那么此漏洞的影响将更加严重。

Organizations heavily reliant on Esri Portal for ArcGIS for geospatial data management and web mapping are at significant risk. This includes government agencies, utilities, and businesses using ArcGIS for location-based services. Environments with limited network segmentation or weak firewall rules are particularly vulnerable, as an attacker could potentially pivot from the Portal server to other internal systems.

• arcgis: Examine Portal for ArcGIS server logs for unusual outbound requests to internal IP addresses or services. Use curl to test for SSRF vulnerabilities by attempting to access internal resources through the Portal.

curl -v --connect-timeout 5 'http://<portal_url>/arcgis/admin/rest/services/test/test/test?url=http://169.254.169.254/test' 2>&1 | grep -i 'Internal Server Error'

• generic web: Monitor access logs for requests originating from the Portal server attempting to access internal resources. Check response headers for SSRF-related indicators.

1. 2025-05-29Disclosure

   disclosure

1. 已保留2025-05-19
2. 发布日期2025-05-29
3. 修改日期2025-12-15
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即升级到 Esri Portal for ArcGIS 11.4.1 或更高版本。如果无法立即升级，可以考虑实施一些临时缓解措施。例如，可以配置 Web 应用防火墙 (WAF) 以阻止可疑的 SSRF 请求。还可以限制 Portal for ArcGIS 允许访问的外部 URL。此外，应定期审查 Portal 的配置，以确保其安全性。升级后，请验证 SSRF 保护是否已正确应用，例如通过尝试访问内部资源并确认被阻止。