Esri is aware of CVE-2023-4863, which has recently seen broad media attention due to the impact to the commonly leveraged image library libwebp.
We are also tracking CVE-2023-5217, which has not attracted as much media attention.
The libwebp library is used to process images created in the webp image format.
CVE-2023-4863 is known to have been exploited in the wild by an attacker tricking a victim into opening an HTML page that contains a specifically crafted webp image, triggering a buffer overflow.
CVE-2023-5217 is a similar issue, found in libvpx.
The libpvx library is used to process videos created with the VPX codec.
CVE-2023-5217 is also known to have been exploited in the wild.
We are investigating the impact of these vulnerabilities in these 3rd party components in our software. We encourage you to subscribe to the RSS feed on the ArcGIS Trust Center for the latest as it becomes available.