CVE-2021-29113 - OpenCVE

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Esri	Arcgis Server

Configuration 1 [-]

cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:x64:*

References

Link	Resource
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available	Not Applicable Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Esri

Published: 2021-12-06T00:00:00

Updated: 2021-12-07T10:48:48

Reserved: 2021-03-23T00:00:00

Link: CVE-2021-29113

JSON object: View

NVD Information

Status : Modified

Published: 2021-12-07T11:15:07.723

Modified: 2023-11-07T03:32:31.490

Link: CVE-2021-29113

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"platforms": ["x64 "], "product": "ArcGIS Server", "vendor": "Esri", "versions": [{"lessThanOrEqual": "10.9.0", "status": "affected", "version": "10.9", "versionType": "custom"}]}], "datePublic": "2021-12-06T00:00:00", "descriptions": [{"lang": "en", "value": "A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement ", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-07T10:48:48", "orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}], "source": {"defect": ["BUG-000139857", ""], "discovery": "EXTERNAL"}, "title": "Remote file inclusion vulnerability in ArcGIS Server help documentation", "x_generator": {"engine": "Vulnogram 0.0.8"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@esri.com", "DATE_PUBLIC": "2021-12-06", "ID": "CVE-2021-29113", "STATE": "PUBLIC", "TITLE": "Remote file inclusion vulnerability in ArcGIS Server help documentation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ArcGIS Server", "version": {"version_data": [{"platform": "x64 ", "version_affected": "<=", "version_name": "10.9", "version_value": "10.9.0"}]}}]}, "vendor_name": "Esri"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page."}]}, "generator": {"engine": "Vulnogram 0.0.8"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-98: Improper Control of Filename for Include/Require Statement "}]}]}, "references": {"reference_data": [{"name": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available", "refsource": "CONFIRM", "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}]}, "source": {"defect": ["BUG-000139857", ""], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "assignerShortName": "Esri", "cveId": "CVE-2021-29113", "datePublished": "2021-12-06T00:00:00", "dateReserved": "2021-03-23T00:00:00", "dateUpdated": "2021-12-07T10:48:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:x64:*", "matchCriteriaId": "8BF5518D-4262-4A59-AE39-CF7E5060B9DB", "versionEndIncluding": "10.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page."}, {"lang": "es", "value": "Una vulnerabilidad de inclusi\u00f3n de archivos remotos en la documentaci\u00f3n de ayuda de ArcGIS Server puede permitir a un atacante remoto no autenticado inyectar en una p\u00e1gina el html suministrado por el atacante"}], "id": "CVE-2021-29113", "lastModified": "2023-11-07T03:32:31.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@esri.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-07T11:15:07.723", "references": [{"source": "psirt@esri.com", "tags": ["Not Applicable", "Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-2-patch-is-now-available"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-98"}], "source": "psirt@esri.com", "type": "Secondary"}]}