Description

A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.

Related CPE's

a

esri

arcgis_server

Vulnerable

References

https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-e21-03-server-sql/

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-89

[email protected]

Secondary
CWE-89

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-06-07T12:15:08.467

3 years ago

Last modified

2023-11-07T03:32:28.393

1 year ago