{"containers": {"cna": {"affected": [{"platforms": ["x64"], "product": "ArcGIS Server", "vendor": "Esri", "versions": [{"lessThan": "10.9.0", "status": "affected", "version": "All", "versionType": "custom"}]}], "datePublic": "2021-12-06T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-07T10:51:39.000Z", "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}], "source": {"defect": ["BUG-000142120", ""], "discovery": "UNKNOWN"}, "title": "SQL injection vulnerability in ArcGIS Server", "workarounds": [{"lang": "en", "value": "Mitigating measures:\n\nWeb Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.\nBy default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.\nDatabase accounts should be configured using the principle of least privilege."}], "x_generator": {"engine": "Vulnogram 0.0.8"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@esri.com", "DATE_PUBLIC": "2021-12-06", "ID": "CVE-2021-29114", "STATE": "PUBLIC", "TITLE": "SQL injection vulnerability in ArcGIS Server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ArcGIS Server", "version": {"version_data": [{"platform": "x64", "version_affected": "<", "version_name": "All", "version_value": "10.9.0"}]}}]}, "vendor_name": "Esri"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries."}]}, "generator": {"engine": "Vulnogram 0.0.8"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available", "refsource": "CONFIRM", "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}]}, "source": {"defect": ["BUG-000142120", ""], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Mitigating measures:\n\nWeb Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.\nBy default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.\nDatabase accounts should be configured using the principle of least privilege."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:02:50.515Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T14:51:22.964995Z", "id": "CVE-2021-29114", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:59:11.832Z"}}]}, "cveMetadata": {"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "assignerShortName": "Esri", "cveId": "CVE-2021-29114", "datePublished": "2021-12-07T10:51:39.544Z", "dateReserved": "2021-03-23T00:00:00.000Z", "dateUpdated": "2025-04-10T14:59:11.832Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:02:50.515Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-29114", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-10T14:51:22.964995Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:51:25.156Z"}}], "cna": {"title": "SQL injection vulnerability in ArcGIS Server", "source": {"defect": ["BUG-000142120", ""], "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Esri", "product": "ArcGIS Server", "versions": [{"status": "affected", "version": "All", "lessThan": "10.9.0", "versionType": "custom"}], "platforms": ["x64"]}], "datePublic": "2021-12-06T00:00:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available", "tags": ["x_refsource_CONFIRM"]}], "workarounds": [{"lang": "en", "value": "Mitigating measures:\n\nWeb Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.\nBy default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.\nDatabase accounts should be configured using the principle of least privilege."}], "x_generator": {"engine": "Vulnogram 0.0.8"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2021-12-07T10:51:39.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"defect": ["BUG-000142120", ""], "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"platform": "x64", "version_name": "All", "version_value": "10.9.0", "version_affected": "<"}]}, "product_name": "ArcGIS Server"}]}, "vendor_name": "Esri"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.8"}, "references": {"reference_data": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available", "name": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "work_around": [{"lang": "en", "value": "Mitigating measures:\n\nWeb Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.\nBy default, services published to ArcGIS Enterprise are not available anonymously and those services cannot be accessed by an unauthenticated attacker.\nDatabase accounts should be configured using the principle of least privilege."}], "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-29114", "STATE": "PUBLIC", "TITLE": "SQL injection vulnerability in ArcGIS Server", "ASSIGNER": "psirt@esri.com", "DATE_PUBLIC": "2021-12-06"}}}}, "cveMetadata": {"cveId": "CVE-2021-29114", "state": "PUBLISHED", "dateUpdated": "2025-04-10T14:59:11.832Z", "dateReserved": "2021-03-23T00:00:00.000Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2021-12-07T10:51:39.544Z", "assignerShortName": "Esri"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABC2428D-4C60-4EDB-81BA-F7FDA316383E", "versionEndIncluding": "10.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en los servicios de caracter\u00edsticas proporcionados por Esri ArcGIS Server versi\u00f3n 10.9 y anteriores, permite a un atacante remoto no autenticado afectar a la confidencialidad, integridad y disponibilidad de los servicios objetivo por medio de consultas espec\u00edficamente dise\u00f1adas"}], "id": "CVE-2021-29114", "lastModified": "2024-11-21T06:00:44.697", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "psirt@esri.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-07T11:15:07.910", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@esri.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}