ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based Authentication - CVE-2025-0020 VSL-2025-21

[CVE - VULSec Labs via Fulldisclosure <fulldisclosure () seclists org>]

=== SUMMARY ===
Vendor: ArcGIS Product: ArcGIS Subject: ArcGIS Hidden Functionality Allows Insecure OAuth 2.0 Based Authentication - 
CVE-2025-0020 VSL-2025-21

CVSS: 7.9 (high) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/U:Amber
Credit: Erez Kalman
Author: VULSec Labs
Date: 2025-05-14


=== DETAILS ===


CWE/CAPEC: Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality 
vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment 
Manipulation.


The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and 
by-design, but undocumented) functionality enables a requestor (referred to as client in RFC 6749) to request an, 
undocumented, custom token expiration from ArcGIS (referred to as authorization server in RFC 6749).


=== LINKS ===


https://www.vulsec.org/advisories

PoC (/attached)
https://www.cve.org/cverecord?id=CVE-2025-0020

https://www.rfc-editor.org/rfc/rfc6749

https://developers.arcgis.com/documentation/security-and-authentication/

Attachment: publickey - cve@vulsec.org - 0x04D8BEEC.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/