Search criteria
12 vulnerabilities found for arcmap by esri
FKIE_CVE-2021-29097
Vulnerability from fkie_nvd - Published: 2021-03-25 21:15 - Updated: 2024-11-21 06:00
Severity ?
Summary
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_engine | * | |
| esri | arcgis_pro | * | |
| esri | arcmap | * | |
| esri | arcreader | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_engine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A49E9C8-9522-45F8-B3B8-FB58D40105B4",
"versionEndIncluding": "10.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B1EC12-C1FB-408B-823C-8FF6581ED8ED",
"versionEndIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C055EC7D-F119-4350-9C8D-731873D70D4F",
"versionEndIncluding": "10.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D3FB72-81E3-4DA3-88E7-B12BEDE51A53",
"versionEndIncluding": "10.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de desbordamiento de b\u00fafer cuando se analiza un archivo especialmente dise\u00f1ado en Esri ArcReader, ArcGIS Desktop, ArcGIS Engine versiones 10.8.1 (y anteriores) y ArcGIS Pro versiones 2.7 (y anteriores), permiten a un atacante no autenticado lograr una ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del usuario actual"
}
],
"id": "CVE-2021-29097",
"lastModified": "2024-11-21T06:00:42.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "psirt@esri.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-25T21:15:13.467",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
},
{
"lang": "en",
"value": "CWE-122"
}
],
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-29098
Vulnerability from fkie_nvd - Published: 2021-03-25 21:15 - Updated: 2025-05-05 14:12
Severity ?
Summary
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@esri.com | https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/ | Vendor Advisory | |
| psirt@esri.com | https://www.zerodayinitiative.com/advisories/ZDI-21-361/ | Third Party Advisory, VDB Entry | |
| psirt@esri.com | https://www.zerodayinitiative.com/advisories/ZDI-21-362/ | Third Party Advisory, VDB Entry | |
| psirt@esri.com | https://www.zerodayinitiative.com/advisories/ZDI-21-372/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.zerodayinitiative.com/advisories/ZDI-21-361/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.zerodayinitiative.com/advisories/ZDI-21-362/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.zerodayinitiative.com/advisories/ZDI-21-372/ | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_engine | * | |
| esri | arcgis_pro | * | |
| esri | arcmap | * | |
| esri | arcreader | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_engine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A49E9C8-9522-45F8-B3B8-FB58D40105B4",
"versionEndIncluding": "10.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B1EC12-C1FB-408B-823C-8FF6581ED8ED",
"versionEndIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C055EC7D-F119-4350-9C8D-731873D70D4F",
"versionEndIncluding": "10.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D3FB72-81E3-4DA3-88E7-B12BEDE51A53",
"versionEndIncluding": "10.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de puntero no inicializado cuando se analiza un archivo especialmente dise\u00f1ado en Esri ArcReader, ArcGIS Desktop, ArcGIS Engine versiones 10.8.1 (y anteriores) y ArcGIS Pro versiones 2.7 (y anteriores), permiten a un atacante no autenticado lograr una ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del usuario actual"
}
],
"id": "CVE-2021-29098",
"lastModified": "2025-05-05T14:12:43.760",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "psirt@esri.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-25T21:15:13.543",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-824"
}
],
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-824"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-29096
Vulnerability from fkie_nvd - Published: 2021-03-25 19:15 - Updated: 2024-11-21 06:00
Severity ?
Summary
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@esri.com | https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/ | Vendor Advisory | |
| psirt@esri.com | https://www.zerodayinitiative.com/advisories/ZDI-21-370/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.zerodayinitiative.com/advisories/ZDI-21-370/ | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| esri | arcgis_engine | * | |
| esri | arcgis_pro | * | |
| esri | arcmap | * | |
| esri | arcreader | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcgis_engine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A49E9C8-9522-45F8-B3B8-FB58D40105B4",
"versionEndIncluding": "10.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B1EC12-C1FB-408B-823C-8FF6581ED8ED",
"versionEndIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C055EC7D-F119-4350-9C8D-731873D70D4F",
"versionEndIncluding": "10.8.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93D3FB72-81E3-4DA3-88E7-B12BEDE51A53",
"versionEndIncluding": "10.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
},
{
"lang": "es",
"value": "Una vulnerabilidad de uso de la memoria previamente liberada cuando se analiza un archivo especialmente dise\u00f1ado en Esri ArcReader, ArcGIS Desktop, ArcGIS Engine versiones 10.8.1 (y anteriores) y ArcGIS Pro versiones 2.7 (y anteriores), permite a un atacante no autenticado lograr una ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto de el usuario actual"
}
],
"id": "CVE-2021-29096",
"lastModified": "2024-11-21T06:00:42.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "psirt@esri.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-25T19:15:14.533",
"references": [
{
"source": "psirt@esri.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"source": "psirt@esri.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"sourceIdentifier": "psirt@esri.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "psirt@esri.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-1661
Vulnerability from fkie_nvd - Published: 2012-07-12 21:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html | Exploit | |
| cve@mitre.org | http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/ | Exploit | |
| cve@mitre.org | http://www.exploit-db.com/exploits/19138 | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.osvdb.org/82986 | Broken Link | |
| cve@mitre.org | http://www.securitytracker.com/id?1027170 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/ | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/19138 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.osvdb.org/82986 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id?1027170 | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3A6EBE1-B65C-4908-ACAB-7BD8AAD76296",
"versionEndIncluding": "10.0.2.3200",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
},
{
"lang": "es",
"value": "ESRI ArcMap v9 y ArcGIS v10.0.2.3200 y anteriores no pregunta a los usuarios antes de antes de ejecutar macros VBA incrustados, lo que permite a usuarios remotos con la ayuda de usuarios locales ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de c\u00f3digo VBA a trav\u00e9s de fichero de mapas (.MXD) modificados a mano."
}
],
"id": "CVE-2012-1661",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-07-12T21:55:04.750",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/82986"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/82986"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id?1027170"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-29098 (GCVE-0-2021-29098)
Vulnerability from cvelistv5 – Published: 2021-03-25 20:37 – Updated: 2025-04-10 15:22
VLAI?
Title
ArcGIS general raster security update: uninitialized pointer
Summary
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity ?
7.8 (High)
CWE
- CWE-824 - Access of Uninitialized Pointer
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-29098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:50:14.442719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:22:04.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 Access of Uninitialized Pointer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:08:21.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: uninitialized pointer",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29098",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: uninitialized pointer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-824 Access of Uninitialized Pointer"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29098",
"datePublished": "2021-03-25T20:37:05.516Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2025-04-10T15:22:04.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29097 (GCVE-0-2021-29097)
Vulnerability from cvelistv5 – Published: 2021-03-25 20:36 – Updated: 2024-09-17 03:17
VLAI?
Title
ArcGIS general raster security update: buffer overflow
Summary
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:09:22",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29097",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
},
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-122 Heap-based Buffer Overflow"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29097",
"datePublished": "2021-03-25T20:36:03.915336Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-17T03:17:27.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29096 (GCVE-0-2021-29096)
Vulnerability from cvelistv5 – Published: 2021-03-25 18:37 – Updated: 2024-09-17 03:42
VLAI?
Title
ArcGIS general raster security update: use-after-free
Summary
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:10:06",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: use-after-free",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29096",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: use-after-free"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416 Use After Free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29096",
"datePublished": "2021-03-25T18:37:37.051791Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-17T03:42:41.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-1661 (GCVE-0-2012-1661)
Vulnerability from cvelistv5 – Published: 2012-07-12 21:00 – Updated: 2024-09-16 23:46
VLAI?
Summary
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:01:02.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/82986"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-07-12T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/82986"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-1661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "19138",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"name": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"name": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/",
"refsource": "MISC",
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/82986"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-1661",
"datePublished": "2012-07-12T21:00:00Z",
"dateReserved": "2012-03-13T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:27.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29098 (GCVE-0-2021-29098)
Vulnerability from nvd – Published: 2021-03-25 20:37 – Updated: 2025-04-10 15:22
VLAI?
Title
ArcGIS general raster security update: uninitialized pointer
Summary
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity ?
7.8 (High)
CWE
- CWE-824 - Access of Uninitialized Pointer
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-29098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:50:14.442719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:22:04.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 Access of Uninitialized Pointer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:08:21.000Z",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: uninitialized pointer",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29098",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: uninitialized pointer"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-824 Access of Uninitialized Pointer"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-361/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-362/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-372/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29098",
"datePublished": "2021-03-25T20:37:05.516Z",
"dateReserved": "2021-03-23T00:00:00.000Z",
"dateUpdated": "2025-04-10T15:22:04.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29097 (GCVE-0-2021-29097)
Vulnerability from nvd – Published: 2021-03-25 20:36 – Updated: 2024-09-17 03:17
VLAI?
Title
ArcGIS general raster security update: buffer overflow
Summary
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Pro",
"vendor": "Esri",
"versions": [
{
"lessThan": "4.7.2",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:09:22",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29097",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Pro",
"version": {
"version_data": [
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "4.7.2"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
},
{
"platform": "x64",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-122 Heap-based Buffer Overflow"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-367/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-371/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-364/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-363/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-369/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-368/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-365/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-360/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29097",
"datePublished": "2021-03-25T20:36:03.915336Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-17T03:17:27.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29096 (GCVE-0-2021-29096)
Vulnerability from nvd – Published: 2021-03-25 18:37 – Updated: 2024-09-17 03:42
VLAI?
Title
ArcGIS general raster security update: use-after-free
Summary
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Esri | ArcReader |
Affected:
All , < 10.9.0
(custom)
|
||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86 Windows"
],
"product": "ArcReader",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X64 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Windows"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"X86 Linux"
],
"product": "ArcGIS Engine",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x86 Windows"
],
"product": "ArcGIS Desktop Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Windows"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64 Linux"
],
"product": "ArcGIS Engine Background Geoprocessing",
"vendor": "Esri",
"versions": [
{
"lessThan": "10.9.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-03-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T18:10:06",
"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"shortName": "Esri"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ArcGIS general raster security update: use-after-free",
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@esri.com",
"DATE_PUBLIC": "2021-03-16T04:00:00.000Z",
"ID": "CVE-2021-29096",
"STATE": "PUBLIC",
"TITLE": "ArcGIS general raster security update: use-after-free"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ArcReader",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine",
"version": {
"version_data": [
{
"platform": "X64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "X86 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Desktop Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x86 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
},
{
"product_name": "ArcGIS Engine Background Geoprocessing",
"version": {
"version_data": [
{
"platform": "x64 Windows",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
},
{
"platform": "x64 Linux",
"version_affected": "\u003c",
"version_name": "All",
"version_value": "10.9.0"
}
]
}
}
]
},
"vendor_name": "Esri"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-416 Use After Free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/",
"refsource": "CONFIRM",
"url": "https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-370/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e",
"assignerShortName": "Esri",
"cveId": "CVE-2021-29096",
"datePublished": "2021-03-25T18:37:37.051791Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-17T03:42:41.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-1661 (GCVE-0-2012-1661)
Vulnerability from nvd – Published: 2012-07-12 21:00 – Updated: 2024-09-16 23:46
VLAI?
Summary
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:01:02.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/82986"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-07-12T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "19138",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/82986"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-1661",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "19138",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/19138"
},
{
"name": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/113644/ESRI-ArcMap-Arbitrary-Code-Execution.html"
},
{
"name": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/",
"refsource": "MISC",
"url": "http://www.cs.umb.edu/~joecohen/exploits/CVE-2012-1661/"
},
{
"name": "1027170",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1027170"
},
{
"name": "82986",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/82986"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-1661",
"datePublished": "2012-07-12T21:00:00Z",
"dateReserved": "2012-03-13T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:27.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}