CVE-2021-29097 — HIGH (7.8)

Q: How severe is CVE-2021-29097?

CVE-2021-29097 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-29097?

Check the references section above for vendor advisories and patch information. Affected products include: Esri Arcgis Engine, Esri Arcgis Pro, Esri Arcmap, Esri Arcreader.

Vulnerability Description

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Esri	Arcgis Engine	<= 10.8.1
Esri	Arcgis Pro	<= 2.7
Esri	Arcmap	<= 10.8.1
Esri	Arcreader	<= 10.8.1

Related Weaknesses (CWE)

CWE-121 CWE-122 CWE-119

References

https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisorVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-360/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-363/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-364/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-365/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-367/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-368/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-369/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-371/Third Party AdvisoryVDB Entry
https://www.esri.com/arcgis-blog/products/arcgis/administration/security-advisorVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-360/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-363/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-364/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-365/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-367/Third Party AdvisoryVDB Entry

FAQ

What is CVE-2021-29097?

CVE-2021-29097 is a vulnerability with a CVSS score of 7.8 (HIGH). Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthent...

How severe is CVE-2021-29097?

CVE-2021-29097 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-29097?

Check the references section above for vendor advisories and patch information. Affected products include: Esri Arcgis Engine, Esri Arcgis Pro, Esri Arcmap, Esri Arcreader.