Search
Find a vulnerability
Search criteria
8 vulnerabilities found for arcmap by esri
CVE-2021-29098 (GCVE-0-2021-29098)
Vulnerability from nvd – Published: 2021-03-25 20:37 – Updated: 2025-04-10 15:22
VLAI
Title
ArcGIS general raster security update: uninitialized pointer
Summary
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-824 - Access of Uninitialized Pointer
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis/… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Pro |
Affected:
All , < 4.7.2
(custom)
|
|
| Esri | ArcGIS Desktop Background Geoprocessing |
Affected:
All , < 10.9.0
(custom)
|
Date Public
2021-03-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-29098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:50:14.442719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:22:04.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 Access of Uninitialized Pointer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:08:21.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: uninitialized pointer",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29098",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: uninitialized pointer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-824 Access of Uninitialized Pointer"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29098",
"datePublished": "2021-03-25T20:37:05.516Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2025-04-10T15:22:04.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29097 (GCVE-0-2021-29097)
Vulnerability from nvd – Published: 2021-03-25 20:36 – Updated: 2024-09-17 03:17
VLAI
Title
ArcGIS general raster security update: buffer overflow
Summary
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity
7.8 (High)
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis/… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Pro |
Affected:
All , < 4.7.2
(custom)
|
|
| Esri | ArcGIS Desktop Background Geoprocessing |
Affected:
All , < 10.9
(custom)
|
Date Public
2021-03-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:09:22.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29097",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
},
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-122 Heap-based Buffer Overflow"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29097",
"datePublished": "2021-03-25T20:36:03.915Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:17:27.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29096 (GCVE-0-2021-29096)
Vulnerability from nvd – Published: 2021-03-25 18:37 – Updated: 2024-09-17 03:42
VLAI
Title
ArcGIS general raster security update: use-after-free
Summary
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis/… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop Background Geoprocessing |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine Background Geoprocessing |
Affected:
All , < 10.9.0
(custom)
|
Date Public
2021-03-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:10:06.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: use-after-free",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29096",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: use-after-free"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416 Use After Free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29096",
"datePublished": "2021-03-25T18:37:37.051Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:42:41.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-1661 (GCVE-0-2012-1661)
Vulnerability from nvd – Published: 2012-07-12 21:00 – Updated: 2024-09-16 23:46
VLAI
Summary
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.exploit-db.com/exploits/19138 | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.org/files/113644/ESRI-… | x_refsource_MISC |
| http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/ | x_refsource_MISC |
| http://www.securitytracker.com/id?1027170 | vdb-entryx_refsource_SECTRACK |
| http://www.osvdb.org/82986 | vdb-entryx_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:01:02.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/82986"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-07-12T21:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/82986"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-1661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "19138",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"name": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"name": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/",
"refsource": "MISC",
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/82986"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-1661",
"datePublished": "2012-07-12T21:00:00.000Z",
"dateReserved": "2012-03-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:27.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29098 (GCVE-0-2021-29098)
Vulnerability from cvelistv5 – Published: 2021-03-25 20:37 – Updated: 2025-04-10 15:22
VLAI
Title
ArcGIS general raster security update: uninitialized pointer
Summary
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-824 - Access of Uninitialized Pointer
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis/… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Pro |
Affected:
All , < 4.7.2
(custom)
|
|
| Esri | ArcGIS Desktop Background Geoprocessing |
Affected:
All , < 10.9.0
(custom)
|
Date Public
2021-03-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-29098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:50:14.442719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:22:04.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 Access of Uninitialized Pointer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:08:21.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: uninitialized pointer",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29098",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: uninitialized pointer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-824 Access of Uninitialized Pointer"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29098",
"datePublished": "2021-03-25T20:37:05.516Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2025-04-10T15:22:04.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29097 (GCVE-0-2021-29097)
Vulnerability from cvelistv5 – Published: 2021-03-25 20:36 – Updated: 2024-09-17 03:17
VLAI
Title
ArcGIS general raster security update: buffer overflow
Summary
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity
7.8 (High)
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis/… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Pro |
Affected:
All , < 4.7.2
(custom)
|
|
| Esri | ArcGIS Desktop Background Geoprocessing |
Affected:
All , < 10.9
(custom)
|
Date Public
2021-03-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:09:22.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29097",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
},
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-122 Heap-based Buffer Overflow"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29097",
"datePublished": "2021-03-25T20:36:03.915Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:17:27.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29096 (GCVE-0-2021-29096)
Vulnerability from cvelistv5 – Published: 2021-03-25 18:37 – Updated: 2024-09-17 03:42
VLAI
Title
ArcGIS general raster security update: use-after-free
Summary
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis/… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Desktop Background Geoprocessing |
Affected:
All , < 10.9.0
(custom)
|
|
| Esri | ArcGIS Engine Background Geoprocessing |
Affected:
All , < 10.9.0
(custom)
|
Date Public
2021-03-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:10:06.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: use-after-free",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29096",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: use-after-free"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416 Use After Free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29096",
"datePublished": "2021-03-25T18:37:37.051Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:42:41.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-1661 (GCVE-0-2012-1661)
Vulnerability from cvelistv5 – Published: 2012-07-12 21:00 – Updated: 2024-09-16 23:46
VLAI
Summary
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.exploit-db.com/exploits/19138 | exploitx_refsource_EXPLOIT-DB |
| http://packetstormsecurity.org/files/113644/ESRI-… | x_refsource_MISC |
| http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/ | x_refsource_MISC |
| http://www.securitytracker.com/id?1027170 | vdb-entryx_refsource_SECTRACK |
| http://www.osvdb.org/82986 | vdb-entryx_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:01:02.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/82986"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-07-12T21:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/82986"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-1661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "19138",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"name": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"name": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/",
"refsource": "MISC",
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/82986"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-1661",
"datePublished": "2012-07-12T21:00:00.000Z",
"dateReserved": "2012-03-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:46:27.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}