Esri has announced that they have discovered a critical security vulnerability in ArcGIS Server when specially constructed steps are taken by persons with network access to the ArcGIS deployment to exploit Server-Side Request Forgery (SSRF), which can potentially be used to obtain access to sensitive internal system information by unauthorized individuals.
This issue is present in versions 10.4 – 10.7.1 of ArcGIS for Server, on both Windows and Linux operating systems. Esri has released patches for these versions of ArcGIS for Server here. ArcGIS Server 10.8 is unaffected by this issue.
Esri have published the following Blog and Knowledge Base article relating to this issue:
Clarita strongly recommends installing the relevant patch at your earliest possible opportunity and will be contacting all impacted clients directly to discuss your options. All patches can be downloaded from the Esri Support website: