CVE-2021-29114
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Esri | ArcGIS Server | All < 10.9.0 | affected |
Weaknesses
- CWE-89: CWE-89 SQL Injection
Workarounds
Mitigating measures:
Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue. By default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker. Database accounts should be configured using the principle of least privilege.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.