CVE-2021-29114

SQL injection vulnerability in ArcGIS Server

CVSS 7.3 HIGHEPSS 1.0%CWE-89

In short

ArcGIS Server versions 10.9 and below have a SQL injection flaw in their feature services that lets attackers send specially crafted requests to steal, modify, or delete database information without needing to log in.

Technical detail

SQL injection vulnerability in ArcGIS Server feature services (v10.9 and below) allows unauthenticated remote attackers to execute arbitrary SQL commands through maliciously crafted queries, compromising confidentiality, integrity, and availability of backend databases.

Summary generated and translated by AI from the official description.

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Esri · ArcGIS Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available