ArcGIS Enterprise

ArcGIS Server SQL injection security update

A SQL injection vulnerability exists in some configurations of Esri ArcGIS Server versions 10.8.1 (and earlier). Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets).

Mitigating measures:

Esri has released updates for ArcGIS Server that resolve this moderate-risk vulnerability here.

Common Vulnerability Scoring System (CVSS v3.1) Details 

5.3 Base Score, 4.8 Temporal Score 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 

We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics. 

Vulnerability Details 

Acknowledgements:

Leave a Reply

Please Login to comment

Next Article

What's new in ArcGIS Maps for Adobe Creative Cloud (July 2021)

Read this article