ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system.
Esri has released updates for ArcGIS GeoEvent Server that resolve this high-risk vulnerability here.
Common Vulnerability Scoring System (CVSS v3.1) Details
8.6 Base Score, 8.2 Temporal Score
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/RC:C
We provide the temporal score in addition to the base score to allow our customers to better assess risk of this vulnerability to their operations. Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Vulnerability Details
CVE-2021-29101 – Relative Path Traversal CWE-23 – CVSS 8.2
Article Discussion: