A SQL injection vulnerability exists in some configurations of Esri ArcGIS Server versions 10.8.1 (and earlier). Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets).
- Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.
- By default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.
- Database accounts should be configured using the principle of least privilege.
Esri has released updates for ArcGIS Server that resolve this moderate-risk vulnerability here.
Common Vulnerability Scoring System (CVSS v3.1) Details
5.3 Base Score, 4.8 Temporal Score
- Exploit Code Maturity: Proof-of-Concept
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations. Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
- CVE-2021-29099 CWE-89 – CVSS 5.3
- Elwood Buck (MindPoint Group)
- Peter Davies (MindPoint Group)