CVE-2021-29115

An information disclosure vulnerability

CVSS 5.3 MEDIUMEPSS 2.1%CWE-200

In short

A flaw in ArcGIS Service Directory allows attackers to see hidden field names in feature layers without needing special access. While field names are exposed, the actual data within those fields remains protected.

Technical detail

An information disclosure vulnerability in ArcGIS Service Directory (versions 10.9.0 and earlier) permits unauthenticated remote access to enumerate hidden field metadata in feature layers via directory traversal or API inspection. The exposure is limited to field nomenclature; feature records and their values are not compromised, reducing overall impact.

Summary generated and translated by AI from the official description.

An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

Esri · ArcGIS Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available