CVE-2021-29114

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Server versions 10.9 and below

Description The issue is related to a SQL injection vulnerability in feature services provided by Esri ArcGIS Server. This vulnerability may allow a remote, unauthenticated attacker to impact the confidentiality, integrity, and availability of targeted services via specifically crafted queries. The vulnerability is associated with the lack of protection against SQL query structure exploitation.

Recommendations For Esri ArcGIS Server versions 10.9 and below, consider updating to a version above 10.9 to resolve the issue. As a temporary workaround, restrict access to feature services to minimize the risk of exploitation. Avoid using specifically crafted queries in the affected feature services until the issue is resolved. At the moment, there is no information about additional mitigation measures.