ArcGIS GeoEvent Server

ArcGIS GeoEvent Server Security Update 2021 Patch 1

ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system. 

Esri has released updates for ArcGIS GeoEvent Server that resolve this high-risk vulnerability here. 

Common Vulnerability Scoring System (CVSS v3.1) Details

8.6 Base Score, 8.2 Temporal Score

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/RC:C 

We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations.  Please see Common Vulnerability Scoring System for more information on the definition of these metrics. 

Vulnerability Details 

CVE-2021-29101 – Relative Path Traversal CWE-23 – CVSS 8.2 

About the authors

I'm a member of the Software Security and Privacy Team. I also help out with Esri's Product Security Incident Response Team. I've been with Esri almost 14 years now. Before joining the Software Security and Privacy Team, I was a senior technical lead in Esri Support Services, focusing on deploying, securing, and using ArcGIS Enterprise technology.

Connect:

Article Discussion:

0 Comments
Inline Feedbacks
View all comments

Next Article

Multidimensional PCA in ArcGIS

Read this article