SQL injection vulnerability in ArcGIS Server
CVE-2021-29114

7.3HIGH

Key Information:

Vendor

Esri

Status
Arcgis Server
Vendor
CVE Published:
7 December 2021

What is CVE-2021-29114?

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

Affected Version(s)

ArcGIS Server x64 All < 10.9.0

References

https://www.esri.com/arcgis-blog/products/arcgis-enterpri...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-29114 : SQL injection vulnerability in ArcGIS Server