Lucene search

EsriCVELIST:CVE-2021-29099

HistoryJun 07, 2021 - 11:47 a.m.

CVE-2021-29099 There is a SQL injection vulnerability in ArcGIS Server

2021-06-0711:47:19

CWE-89

Esri

www.cve.org

cve-2021-29099

arcgis server

sql injection

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

31.7%

JSON

A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.

CNA Affected

[
  {
    "platforms": [
      "x64"
    ],
    "product": "ArcGIS Server",
    "vendor": "Esri",
    "versions": [
      {
        "lessThan": "10.9.0",
        "status": "affected",
        "version": "10.8.1",
        "versionType": "custom"
      }
    ]
  }
]

References

www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-e21-03-server-sql/

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

31.7%

JSON

Related for CVELIST:CVE-2021-29099