=== SUMMARY === Vendor: ArcGIS Product: ArcGIS Subject: ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based Authentication - CVE-2025-0020 VSL-2025-21 CVSS: 7.9 (high) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber Credit: Erez Kalman Author: VULSec Labs Date: 2025-05-14 === DETAILS === CWE/CAPEC: Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation. The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design, but undocumented) functionality enables a requestor (referred to as client in RFC 6749) to request an, undocumented, custom token expiration from ArcGIS (referred to as authorization server in RFC 6749). === LINKS === https://www.vulsec.org/advisories PoC (/attached) https://www.cve.org/cverecord?id=CVE-2025-0020 https://www.rfc-editor.org/rfc/rfc6749 https://developers.arcgis.com/documentation/security-and-authentication/
Attachment:
standard-valid-request.png
Description: PNG image
Attachment:
standard-invalid-request.png
Description: PNG image
Attachment:
publickey - cve@vulsec.org - 0x04D8BEEC.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
