Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-29118: ArcReader General Data Frame Security Update

An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.

CVE
#vulnerability#web#auth#zero_day

Esri has released ArcReader 10.8.2, which resolves two low and one moderate-risk vulnerabilities in ArcReader.

ArcReader 10.8.2 is the last release. We encourage users of ArcReader to transition to the updated alternatives for publishing and sharing map packages with ArcGIS Pro, and workflows using the ArcGIS Pro version of the ArcGIS Publisher extension in conjunction with ArcGIS Field Maps.

In the coming months, the ArcReader product website will be removed along with publicly available downloads. ArcReader software will continue to be available as a download from My Esri. The ArcReader online documentation will remain in place throughout the remainder of the ArcReader Product Support Life Cycle.

Recommendation
We encourage users of ArcReader to transition to the updated alternatives for publishing and sharing map packages with ArcGIS Pro, and workflows using the ArcGIS Pro version of the ArcGIS Publisher extension in conjunction with ArcGIS Field Maps.

Vulnerability Details

We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations. Please see Common Vulnerability Scoring System for more information on the definition of these metrics.

  • CVE-2021-29117 – Use-After-Free – CWE-416 CVSS 7.8

Common Vulnerability Scoring System (CVSS v3.1) Details

7.8 Base Score, 6.8 Temporal Score

Exploit Code Maturity: Unproven
Remediation Level: Official Fix Available
Report Confidence: Confirmed by Esri

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

  • CVE-2021-29112 – Out-of-Bounds Read CWE-125 – CVSS 3.3

Common Vulnerability Scoring System (CVSS v3.1) Details

3.3 Base Score, Temporal Score 2.9

Exploit Code Maturity: Unproven
Remediation Level: Official Fix Available
Report Confidence: Confirmed by Esri

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

  • CVE-2021-29118 – Out-of-Bounds Read CWE-125 – CVSS 3.3

Common Vulnerability Scoring System (CVSS v3.1) Details

3.3 Base Score, Temporal Score 2.9

Exploit Code Maturity: Unproven
Remediation Level: Official Fix Available
Report Confidence: Confirmed by Esri

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

Acknowledgements
Tran Van Khang – khangkito (VinCSS) working with Trend Micro Zero Day Initiative

Related news

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907