CVE-2021-29099

Name of the Vulnerable Software and Affected Versions: ArcGIS Server versions 10.8.1 and earlier

Description: A SQL injection issue exists in some configurations, allowing specially crafted web requests to expose unintended information. This does not affect customer datasets. Web Services using file-based data sources, such as file Geodatabase, Shape Files, or tile cached services, are not affected by this issue.

Recommendations: For ArcGIS Server versions 10.8.1 and earlier, consider restricting access to sensitive data until a fix is available. As a temporary workaround, review and secure web request handling to prevent exploitation of the SQL injection issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.