CVE-2021-29113 : Security Advisory and Response

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied HTML into a page.

Understanding CVE-2021-29113

This CVE refers to a security vulnerability in ArcGIS Server that could permit an attacker to insert malicious HTML into web pages.

What is CVE-2021-29113?

CVE-2021-29113 is a remote file inclusion vulnerability in ArcGIS Server's help documentation which could be exploited by an unauthorized remote attacker.

The Impact of CVE-2021-29113

The vulnerability could enable attackers to manipulate pages with injected code, potentially leading to further malicious activities.

Technical Details of CVE-2021-29113

This section provides a deeper insight into the specifics of the CVE.

Vulnerability Description

The vulnerability arises from improper control of filenames for include/require statements in the ArcGIS Server help documentation, allowing unauthorized inclusion of external files.

Affected Systems and Versions

The vulnerability affects ArcGIS Server version 10.9.0 and earlier, running on x64 platforms.

Exploitation Mechanism

An unauthenticated remote attacker can exploit this vulnerability via network access with low attack complexity.

Mitigation and Prevention

Protecting systems from CVE-2021-29113 requires immediate action and ongoing security measures.

Immediate Steps to Take

Apply the latest security patch provided by Esri for ArcGIS Server.
Restrict network access to the server.

Long-Term Security Practices

Regularly update and patch software to prevent known vulnerabilities.
Implement proper access controls and input validation.

Patching and Updates

Ensure that ArcGIS Server is updated to version 10.9.1 or later, where this vulnerability has been addressed.