Esri has released ArcGIS Server Security 2021 Update 2 Patch . This patch addresses four recently identified vulnerabilities in versions 10.9, 10.8.1, 10.7.1, and 10.6.1. As with all security patches, we encourage all system administrators to install security updates on their systems at the earliest opportunity.
One high severity vulnerability and three medium severity vulnerabilities are addressed in this patch.
To enable our customers to better assess the risk of this vulnerability in their operations, we provide Common Vulnerability Scoring System (CVSS) scores. Both a base score and a modified temporal score are provided to reflect the availability of an official patch. For more information on the definition of these metrics, please see Common Vulnerability Scoring System .
Vulnerabilities fixed in this patch include:
An SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and earlier versions allows a remote, unauthenticated attacker to affect the confidentiality, integrity, and availability of targeted services via specially crafted queries.
Common Vulnerability Scoring System (CVSS v3.1) Details
3 Basic Score, 6.0 Provisional Score
Correction Level: Official Correction discover how to make your homepage creatively Available
Trust Statement: Approved by Esri
Vulnerability Details
CVE coming soon – SQL Injection (SQLi) CWE-89 – CVSS 6.0
Mitigating measures:
By default, services published to ArcGIS Enterprise are not available anonymously and cannot be accessed by an unauthenticated attacker.
Common Vulnerability Scoring System (CVSS v3.1) Details
1 Basic Score, 5.2 Provisional Score
Correction Level: Official Correction Available
Trust Statement: Approved by Esri
Vulnerability Details
CVE coming soon –  Cross Site Scripting (XSS) CWE-79 – CVSS 5.2
Mitigating measures:
By default, services published to ArcGIS Enterprise are not available anonymously and cannot be accessed by an unauthenticated attacker.
3 Basic Points, 4.1 Provisional Points
Correction Level: Official Correction Available
Trust Statement: Approved by Esri
#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/MPR:L
Vulnerability Details
CVE coming soon – Information Exposure CWE-200 – CVSS 4.1
Mitigating measures:
Options to mitigate this issue include securing they were familiar with the technologies the hosted feature service and any hosted feature service views created.
A remote file inclusion vulnerability in the ArcGIS germany cell number Server help documentation could allow a remote, unauthenticated attacker to inject a page containing attacker-supplied html.
Common Vulnerability Scoring System (CVSS v3.1) Details