Vulnerability Details CVE-2021-29097
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 61.9%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 6.8
References
- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/
- https://www.zerodayinitiative.com/advisories/ZDI-21-360/
- https://www.zerodayinitiative.com/advisories/ZDI-21-363/
- https://www.zerodayinitiative.com/advisories/ZDI-21-364/
- https://www.zerodayinitiative.com/advisories/ZDI-21-365/
- https://www.zerodayinitiative.com/advisories/ZDI-21-367/
- https://www.zerodayinitiative.com/advisories/ZDI-21-368/
- https://www.zerodayinitiative.com/advisories/ZDI-21-369/
- https://www.zerodayinitiative.com/advisories/ZDI-21-371/
- https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisory-general-raster/
- https://www.zerodayinitiative.com/advisories/ZDI-21-360/
- https://www.zerodayinitiative.com/advisories/ZDI-21-363/
- https://www.zerodayinitiative.com/advisories/ZDI-21-364/
- https://www.zerodayinitiative.com/advisories/ZDI-21-365/
- https://www.zerodayinitiative.com/advisories/ZDI-21-367/
- https://www.zerodayinitiative.com/advisories/ZDI-21-368/
- https://www.zerodayinitiative.com/advisories/ZDI-21-369/
- https://www.zerodayinitiative.com/advisories/ZDI-21-371/
Products affected by CVE-2021-29097
-
cpe:2.3:a:esri:arcgis_engine:10.3
-
cpe:2.3:a:esri:arcgis_engine:10.4
-
cpe:2.3:a:esri:arcgis_engine:10.5
-
cpe:2.3:a:esri:arcgis_engine:10.6
-
cpe:2.3:a:esri:arcgis_engine:10.7
-
cpe:2.3:a:esri:arcgis_engine:10.8
-
cpe:2.3:a:esri:arcgis_engine:10.8.1
-
cpe:2.3:a:esri:arcgis_pro:1.2
-
cpe:2.3:a:esri:arcgis_pro:1.3
-
cpe:2.3:a:esri:arcgis_pro:1.3.1
-
cpe:2.3:a:esri:arcgis_pro:1.4
-
cpe:2.3:a:esri:arcgis_pro:1.4.1
-
cpe:2.3:a:esri:arcgis_pro:2.0
-
cpe:2.3:a:esri:arcgis_pro:2.0.1
-
cpe:2.3:a:esri:arcgis_pro:2.1
-
cpe:2.3:a:esri:arcgis_pro:2.1.1
-
cpe:2.3:a:esri:arcgis_pro:2.1.2
-
cpe:2.3:a:esri:arcgis_pro:2.1.3
-
cpe:2.3:a:esri:arcgis_pro:2.2
-
cpe:2.3:a:esri:arcgis_pro:2.2.1
-
cpe:2.3:a:esri:arcgis_pro:2.2.2
-
cpe:2.3:a:esri:arcgis_pro:2.2.3
-
cpe:2.3:a:esri:arcgis_pro:2.2.4
-
cpe:2.3:a:esri:arcgis_pro:2.3
-
cpe:2.3:a:esri:arcgis_pro:2.3.1
-
cpe:2.3:a:esri:arcgis_pro:2.3.2
-
cpe:2.3:a:esri:arcgis_pro:2.3.3
-
cpe:2.3:a:esri:arcgis_pro:2.4
-
cpe:2.3:a:esri:arcgis_pro:2.4.1
-
cpe:2.3:a:esri:arcgis_pro:2.4.2
-
cpe:2.3:a:esri:arcgis_pro:2.4.3
-
cpe:2.3:a:esri:arcgis_pro:2.5
-
cpe:2.3:a:esri:arcgis_pro:2.5.1
-
cpe:2.3:a:esri:arcgis_pro:2.5.2
-
cpe:2.3:a:esri:arcgis_pro:2.6
-
cpe:2.3:a:esri:arcgis_pro:2.6.1
-
cpe:2.3:a:esri:arcgis_pro:2.6.2
-
cpe:2.3:a:esri:arcgis_pro:2.6.3
-
cpe:2.3:a:esri:arcgis_pro:2.6.4
-
cpe:2.3:a:esri:arcgis_pro:2.6.5
-
cpe:2.3:a:esri:arcgis_pro:2.6.6
-
cpe:2.3:a:esri:arcgis_pro:2.6.7
-
cpe:2.3:a:esri:arcgis_pro:2.6.8
-
cpe:2.3:a:esri:arcgis_pro:2.6.9
-
cpe:2.3:a:esri:arcgis_pro:2.7
-
cpe:2.3:a:esri:arcmap:-
-
cpe:2.3:a:esri:arcmap:10
-
cpe:2.3:a:esri:arcmap:10.0.2.3200
-
cpe:2.3:a:esri:arcmap:10.1
-
cpe:2.3:a:esri:arcmap:10.2
-
cpe:2.3:a:esri:arcmap:10.2.1
-
cpe:2.3:a:esri:arcmap:10.2.2
-
cpe:2.3:a:esri:arcmap:10.3
-
cpe:2.3:a:esri:arcmap:10.3.1
-
cpe:2.3:a:esri:arcmap:10.4
-
cpe:2.3:a:esri:arcmap:10.4.1
-
cpe:2.3:a:esri:arcmap:10.5
-
cpe:2.3:a:esri:arcmap:10.5.1
-
cpe:2.3:a:esri:arcmap:10.6
-
cpe:2.3:a:esri:arcmap:10.6.1
-
cpe:2.3:a:esri:arcmap:10.7
-
cpe:2.3:a:esri:arcmap:10.7.1
-
cpe:2.3:a:esri:arcmap:10.8
-
cpe:2.3:a:esri:arcmap:10.8.1
-
cpe:2.3:a:esri:arcmap:9.0
-
cpe:2.3:a:esri:arcreader:-
-
cpe:2.3:a:esri:arcreader:10.3
-
cpe:2.3:a:esri:arcreader:10.4
-
cpe:2.3:a:esri:arcreader:10.5
-
cpe:2.3:a:esri:arcreader:10.6
-
cpe:2.3:a:esri:arcreader:10.7
-
cpe:2.3:a:esri:arcreader:10.8
-
cpe:2.3:a:esri:arcreader:10.8.1