CVE-2021-29097
ArcGIS general raster security update: buffer overflow
In short
ArcGIS and ArcReader contain buffer overflow flaws when processing specially crafted raster files. An attacker can send a malicious file to execute arbitrary code on the victim's computer.
Technical detail
Multiple stack and heap buffer overflows exist in raster file parsing across ArcGIS Desktop, ArcGIS Engine 10.8.1 and earlier, ArcGIS Pro 2.7 and earlier, and ArcReader. An unauthenticated attacker can exploit these by providing a specially crafted file, leading to arbitrary code execution with user privileges; no authentication or user interaction restrictions are specified beyond file opening.
Summary generated and translated by AI from the official description.
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Esri · ArcGIS DesktopEsri · ArcGIS Desktop Background GeoprocessingEsri · ArcGIS EngineEsri · ArcGIS ProEsri · ArcReaderWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/https://www.zerodayinitiative.com/advisories/ZDI-21-360/https://www.zerodayinitiative.com/advisories/ZDI-21-363/https://www.zerodayinitiative.com/advisories/ZDI-21-364/https://www.zerodayinitiative.com/advisories/ZDI-21-365/https://www.zerodayinitiative.com/advisories/ZDI-21-367/https://www.zerodayinitiative.com/advisories/ZDI-21-368/https://www.zerodayinitiative.com/advisories/ZDI-21-369/https://www.zerodayinitiative.com/advisories/ZDI-21-371/