CVE-2021-29115

Summary

An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.

Affected Software

VendorProductVersion RangeStatus
EsriArcGIS ServerAll <= 10.9.0affected

Weaknesses

  • CWE-200: CWE-200 Information Exposure

Workarounds

Options to address this issue include securing the hosted feature service and any created views.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References