CVE-2021-29099: There is a SQL injection vulnerability in ArcGIS Server
First published: Mon Jun 07 2021(Updated: )
A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.
Credit: psirt@esri.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Esri ArcGIS Server | <=10.8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-29099?
CVE-2021-29099 is a SQL injection vulnerability that exists in some configurations of ArcGIS Server versions 10.8.1 and earlier.
What can a SQL injection vulnerability expose?
A SQL injection vulnerability can expose information that is not intended to be disclosed.
Which versions of ArcGIS Server are affected by CVE-2021-29099?
ArcGIS Server versions 10.8.1 and earlier are affected by CVE-2021-29099.
What types of web services are affected by CVE-2021-29099?
Web Services that use file based data sources such as file Geodatabase or Shape Files are affected by CVE-2021-29099.
How can I fix CVE-2021-29099?
Upgrade to a version of ArcGIS Server that is not affected by CVE-2021-29099.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/esri
- canonical/esri arcgis server
- version/esri arcgis server/10.8.1