Esri has released the ArcGIS Server Security 2021 Update 1 Patch that resolves a number of recently identified security vulnerabilities across versions 10.8.1, 10.7.1, and 10.6.1. As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.
This patch addresses one high severity vulnerability and multiple medium severity vulnerabilities have been addressed in the ArcGIS Server Security 2021 Update 1 Patch. We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of this vulnerability to their operations. Both the base score and a modified temporal score is provided to reflect the availability of an official patch. Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Vulnerabilities fixed in this patch include:
- A Server-Side Request Forgery (SSRF) vulnerability in Esri ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks.
Common Vulnerability Scoring System (CVSS v3.1) Details
9.1 Base Score, 8.7 Temporal Score
-
-
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
-
#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/RL:O
Vulnerability Details
CVE-2021-29102 – Server Side Request Forgery (SSRF) CWE-918 – CVSS 8.7
- A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
6.1 Base Score, 5.8 Temporal Score
-
-
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
-
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O
Vulnerability Details
CVE-2021-29103 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2
- A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Manager version 10.6.1 (only) may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.
Common Vulnerability Scoring System (CVSS v3.1) Details
6.1 Base Score, 5.8 Temporal Score
-
-
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
-
#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O
Vulnerability Details
CVE-2021-29107 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2
- A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory.
Common Vulnerability Scoring System (CVSS v3.1) Details
5.4 Base Score, 5.2 Temporal Score
-
-
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
-
#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O
Vulnerability Details
CVE-2021-29105 – Cross Site Scripting (XSS) CWE-79 – CVSS 5.2
Acknowledgements
Matthew Dekker – Security Consultant ZX Security Limited
- A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Manager version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.
Common Vulnerability Scoring System (CVSS v3.1) Details
6.1 Base Score, 4.6 Temporal Score
-
-
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
-
#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/RL:O
Vulnerability Details
CVE-2021-29104 – Cross Site Scripting (XSS) CWE-79 – CVSS 4.2
Acknowledgements
Roberto Suggi Liverani from NATO Cyber Security Centre (NCSC)
- A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.
Common Vulnerability Scoring System (CVSS v3.1) Details
4.7 Base Score, 4.2 Temporal Score
-
-
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed by Esri
-
#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O
Vulnerability Details
CVE-2021-29106 – Cross Site Scripting (XSS) CWE-79 – CVSS 4.2
Article Discussion: