Lucene search

[email protected]NVD:CVE-2021-29099

HistoryJun 07, 2021 - 12:15 p.m.

CVE-2021-29099

2021-06-0712:15:08

CWE-89

[email protected]

web.nvd.nist.gov

sql injection

arcgis server

web requests

information disclosure

data sources

vulnerability.

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

31.7%

JSON

A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.

Affected configurations

Nvd

Node

esriarcgis_serverRange≤10.8.1

VendorProductVersionCPE
esriarcgis_server*cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
esri	arcgis_server	*	cpe:2.3:a:esri:arcgis_server::::::::

References

www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-e21-03-server-sql/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

31.7%

JSON

Related for NVD:CVE-2021-29099

cve1 prion1 cvelist1