Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for arcgis_pro by esri

    CVE-2026-1446 (GCVE-0-2026-1446)

    Vulnerability from nvd – Published: 2026-01-26 17:24 – Updated: 2026-02-06 06:04
    VLAI
    Title
    XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier
    Summary
    There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Esri ArcGIS Pro Affected: 1.0 , < 3.6.1 (custom)
    Create a notification for this product.
    Date Public
    2026-01-27 06:04
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1446",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T21:03:31.731403Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T21:04:26.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "x64",
                "windows"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "3.6.1",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-01-27T06:04:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eThere is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.\u003c/div\u003e"
                }
              ],
              "value": "There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T06:04:15.645Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "url": "https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to ArcGIS Pro 3.6.1"
                }
              ],
              "value": "Upgrade to ArcGIS Pro 3.6.1"
            }
          ],
          "source": {
            "defect": [
              "BUG-000095782"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2026-1446",
        "datePublished": "2026-01-26T17:24:12.411Z",
        "dateReserved": "2026-01-26T16:40:43.410Z",
        "dateUpdated": "2026-02-06T06:04:15.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1068 (GCVE-0-2025-1068)

    Vulnerability from nvd – Published: 2025-02-25 16:26 – Updated: 2025-02-26 00:05
    VLAI
    Title
    There is a code injection vulnerability in Esri ArcGIS AllSource
    Summary
    There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Esri ArcGIS AllSource Affected: 1.2
    Affected: 1.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1068",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T16:46:28.318860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T16:46:35.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ArcGIS AllSource",
              "vendor": "Esri",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1."
                }
              ],
              "value": "There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-558",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-558 Replace Trusted Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426 Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-26T00:05:24.143Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "There is a code injection vulnerability in Esri ArcGIS AllSource",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2025-1068",
        "datePublished": "2025-02-25T16:26:18.161Z",
        "dateReserved": "2025-02-05T18:59:51.831Z",
        "dateUpdated": "2025-02-26T00:05:24.143Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1067 (GCVE-0-2025-1067)

    Vulnerability from nvd – Published: 2025-02-25 16:26 – Updated: 2025-02-26 00:03
    VLAI
    Title
    There is a code injection vulnerability in ArcGIS Pro
    Summary
    There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Esri ArcGIS Pro Affected: 3.3.0 , ≤ 3.3.2 (semver)
    Affected: 3.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1067",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T16:46:02.735946Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T16:46:09.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "64 bit"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.2",
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "3.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4\u0026nbsp;that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1."
                }
              ],
              "value": "There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4\u00a0that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-558",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-558 Replace Trusted Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-26T00:03:50.613Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities"
            }
          ],
          "source": {
            "defect": [
              "BUG-000173823"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "There is a code injection vulnerability in ArcGIS Pro",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2025-1067",
        "datePublished": "2025-02-25T16:26:03.580Z",
        "dateReserved": "2025-02-05T18:48:27.690Z",
        "dateUpdated": "2025-02-26T00:03:50.613Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29098 (GCVE-0-2021-29098)

    Vulnerability from nvd – Published: 2021-03-25 20:37 – Updated: 2025-04-10 15:22
    VLAI
    Title
    ArcGIS general raster security update: uninitialized pointer
    Summary
    Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-824 - Access of Uninitialized Pointer
    Assigner
    Impacted products
    Date Public
    2021-03-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:50.333Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-29098",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T14:50:14.442719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T15:22:04.460Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcReader",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcGIS Desktop",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X64 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Windows"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "4.7.2",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Windows"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-824",
                  "description": "CWE-824 Access of Uninitialized Pointer",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-31T18:08:21.000Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ArcGIS general raster security update: uninitialized pointer",
          "x_generator": {
            "engine": "Vulnogram 0.0.8"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@esri.com",
              "DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
              "ID": "CVE-2021-29098",
              "STATE": "PUBLIC",
              "TITLE": "ArcGIS general raster security update: uninitialized pointer"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ArcReader",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine",
                          "version": {
                            "version_data": [
                              {
                                "platform": "X64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Pro",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "4.7.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Esri"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.8"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-824 Access of Uninitialized Pointer"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
                  "refsource": "CONFIRM",
                  "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2021-29098",
        "datePublished": "2021-03-25T20:37:05.516Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2025-04-10T15:22:04.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29097 (GCVE-0-2021-29097)

    Vulnerability from nvd – Published: 2021-03-25 20:36 – Updated: 2024-09-17 03:17
    VLAI
    Title
    ArcGIS general raster security update: buffer overflow
    Summary
    Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    Impacted products
    Date Public
    2021-03-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:50.311Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcReader",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcGIS Desktop",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "4.7.2",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-31T18:09:22.000Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ArcGIS general raster security update: buffer overflow",
          "x_generator": {
            "engine": "Vulnogram 0.0.8"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@esri.com",
              "DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
              "ID": "CVE-2021-29097",
              "STATE": "PUBLIC",
              "TITLE": "ArcGIS general raster security update: buffer overflow"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ArcReader",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Pro",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "4.7.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9"
                              },
                              {
                                "platform": "x64",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Esri"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.8"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-122 Heap-based Buffer Overflow"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121 Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
                  "refsource": "CONFIRM",
                  "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2021-29097",
        "datePublished": "2021-03-25T20:36:03.915Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:17:27.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29096 (GCVE-0-2021-29096)

    Vulnerability from nvd – Published: 2021-03-25 18:37 – Updated: 2024-09-17 03:42
    VLAI
    Title
    ArcGIS general raster security update: use-after-free
    Summary
    A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2021-03-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:50.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcReader",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcGIS Desktop",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X64 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Windows"
              ],
              "product": "ArcGIS Engine Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Engine Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-31T18:10:06.000Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ArcGIS general raster security update: use-after-free",
          "x_generator": {
            "engine": "Vulnogram 0.0.8"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@esri.com",
              "DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
              "ID": "CVE-2021-29096",
              "STATE": "PUBLIC",
              "TITLE": "ArcGIS general raster security update: use-after-free"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ArcReader",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine",
                          "version": {
                            "version_data": [
                              {
                                "platform": "X64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Esri"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.8"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-416 Use After Free"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
                  "refsource": "CONFIRM",
                  "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2021-29096",
        "datePublished": "2021-03-25T18:37:37.051Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:42:41.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-1446 (GCVE-0-2026-1446)

    Vulnerability from cvelistv5 – Published: 2026-01-26 17:24 – Updated: 2026-02-06 06:04
    VLAI
    Title
    XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier
    Summary
    There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    Esri ArcGIS Pro Affected: 1.0 , < 3.6.1 (custom)
    Create a notification for this product.
    Date Public
    2026-01-27 06:04
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1446",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T21:03:31.731403Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T21:04:26.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "x64",
                "windows"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "3.6.1",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2026-01-27T06:04:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eThere is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.\u003c/div\u003e"
                }
              ],
              "value": "There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T06:04:15.645Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "url": "https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade to ArcGIS Pro 3.6.1"
                }
              ],
              "value": "Upgrade to ArcGIS Pro 3.6.1"
            }
          ],
          "source": {
            "defect": [
              "BUG-000095782"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2026-1446",
        "datePublished": "2026-01-26T17:24:12.411Z",
        "dateReserved": "2026-01-26T16:40:43.410Z",
        "dateUpdated": "2026-02-06T06:04:15.645Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1068 (GCVE-0-2025-1068)

    Vulnerability from cvelistv5 – Published: 2025-02-25 16:26 – Updated: 2025-02-26 00:05
    VLAI
    Title
    There is a code injection vulnerability in Esri ArcGIS AllSource
    Summary
    There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Esri ArcGIS AllSource Affected: 1.2
    Affected: 1.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1068",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T16:46:28.318860Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T16:46:35.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ArcGIS AllSource",
              "vendor": "Esri",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1."
                }
              ],
              "value": "There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-558",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-558 Replace Trusted Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426 Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-26T00:05:24.143Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "There is a code injection vulnerability in Esri ArcGIS AllSource",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2025-1068",
        "datePublished": "2025-02-25T16:26:18.161Z",
        "dateReserved": "2025-02-05T18:59:51.831Z",
        "dateUpdated": "2025-02-26T00:05:24.143Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1067 (GCVE-0-2025-1067)

    Vulnerability from cvelistv5 – Published: 2025-02-25 16:26 – Updated: 2025-02-26 00:03
    VLAI
    Title
    There is a code injection vulnerability in ArcGIS Pro
    Summary
    There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Esri ArcGIS Pro Affected: 3.3.0 , ≤ 3.3.2 (semver)
    Affected: 3.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1067",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T16:46:02.735946Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T16:46:09.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "64 bit"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.2",
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "3.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4\u0026nbsp;that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1."
                }
              ],
              "value": "There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4\u00a0that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-558",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-558 Replace Trusted Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-26T00:03:50.613Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "url": "https://www.esri.com/arcgis-blog/products/administration/administration/arcgis-pro-and-arcgis-allsource-patches-address-high-severity-vulnerabilities"
            }
          ],
          "source": {
            "defect": [
              "BUG-000173823"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "There is a code injection vulnerability in ArcGIS Pro",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2025-1067",
        "datePublished": "2025-02-25T16:26:03.580Z",
        "dateReserved": "2025-02-05T18:48:27.690Z",
        "dateUpdated": "2025-02-26T00:03:50.613Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29098 (GCVE-0-2021-29098)

    Vulnerability from cvelistv5 – Published: 2021-03-25 20:37 – Updated: 2025-04-10 15:22
    VLAI
    Title
    ArcGIS general raster security update: uninitialized pointer
    Summary
    Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-824 - Access of Uninitialized Pointer
    Assigner
    Impacted products
    Date Public
    2021-03-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:50.333Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-29098",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-10T14:50:14.442719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-10T15:22:04.460Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcReader",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcGIS Desktop",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X64 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Windows"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "4.7.2",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Windows"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-824",
                  "description": "CWE-824 Access of Uninitialized Pointer",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-31T18:08:21.000Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ArcGIS general raster security update: uninitialized pointer",
          "x_generator": {
            "engine": "Vulnogram 0.0.8"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@esri.com",
              "DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
              "ID": "CVE-2021-29098",
              "STATE": "PUBLIC",
              "TITLE": "ArcGIS general raster security update: uninitialized pointer"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ArcReader",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine",
                          "version": {
                            "version_data": [
                              {
                                "platform": "X64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Pro",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "4.7.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Esri"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.8"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-824 Access of Uninitialized Pointer"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
                  "refsource": "CONFIRM",
                  "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2021-29098",
        "datePublished": "2021-03-25T20:37:05.516Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2025-04-10T15:22:04.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29097 (GCVE-0-2021-29097)

    Vulnerability from cvelistv5 – Published: 2021-03-25 20:36 – Updated: 2024-09-17 03:17
    VLAI
    Title
    ArcGIS general raster security update: buffer overflow
    Summary
    Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    Impacted products
    Date Public
    2021-03-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:50.311Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcReader",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcGIS Desktop",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64"
              ],
              "product": "ArcGIS Pro",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "4.7.2",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-31T18:09:22.000Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ArcGIS general raster security update: buffer overflow",
          "x_generator": {
            "engine": "Vulnogram 0.0.8"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@esri.com",
              "DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
              "ID": "CVE-2021-29097",
              "STATE": "PUBLIC",
              "TITLE": "ArcGIS general raster security update: buffer overflow"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ArcReader",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Pro",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "4.7.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9"
                              },
                              {
                                "platform": "x64",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Esri"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.8"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-122 Heap-based Buffer Overflow"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121 Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
                  "refsource": "CONFIRM",
                  "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2021-29097",
        "datePublished": "2021-03-25T20:36:03.915Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:17:27.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29096 (GCVE-0-2021-29096)

    Vulnerability from cvelistv5 – Published: 2021-03-25 18:37 – Updated: 2024-09-17 03:42
    VLAI
    Title
    ArcGIS general raster security update: use-after-free
    Summary
    A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2021-03-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:50.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcReader",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcGIS Desktop",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X64 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Windows"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "X86 Linux"
              ],
              "product": "ArcGIS Engine",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x86 Windows"
              ],
              "product": "ArcGIS Desktop Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Windows"
              ],
              "product": "ArcGIS Engine Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "x64 Linux"
              ],
              "product": "ArcGIS Engine Background Geoprocessing",
              "vendor": "Esri",
              "versions": [
                {
                  "lessThan": "10.9.0",
                  "status": "affected",
                  "version": "All",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-03-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-31T18:10:06.000Z",
            "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
            "shortName": "Esri"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ArcGIS general raster security update: use-after-free",
          "x_generator": {
            "engine": "Vulnogram 0.0.8"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@esri.com",
              "DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
              "ID": "CVE-2021-29096",
              "STATE": "PUBLIC",
              "TITLE": "ArcGIS general raster security update: use-after-free"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ArcReader",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine",
                          "version": {
                            "version_data": [
                              {
                                "platform": "X64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "X86 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Desktop Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x86 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ArcGIS Engine Background Geoprocessing",
                          "version": {
                            "version_data": [
                              {
                                "platform": "x64 Windows",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              },
                              {
                                "platform": "x64 Linux",
                                "version_affected": "\u003c",
                                "version_name": "All",
                                "version_value": "10.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Esri"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.8"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-416 Use After Free"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
                  "refsource": "CONFIRM",
                  "url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
                },
                {
                  "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/",
                  "refsource": "MISC",
                  "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
        "assignerShortName": "Esri",
        "cveId": "CVE-2021-29096",
        "datePublished": "2021-03-25T18:37:37.051Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:42:41.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }