CVE-2021-29112

An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/	Vendor Advisory
https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:00

Type	Values Removed	Values Added
References	~~() https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/ - Vendor Advisory~~	() https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/ - Vendor Advisory

15 Aug 2022, 19:02

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:a:esri:arcreader::::::::
CWE		CWE-125
References	~~(CONFIRM) https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/ -~~	(CONFIRM) https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/ - Vendor Advisory

12 Aug 2022, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-12 19:15

Updated : 2024-11-21 06:00

NVD link : CVE-2021-29112

Mitre link : CVE-2021-29112

CVE.ORG link : CVE-2021-29112

JSON object : View

Products Affected

esri

arcreader

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2021-29112", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "psirt@esri.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-08-12T19:15:07.877", "references": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/", "tags": ["Vendor Advisory"], "source": "psirt@esri.com"}, {"url": "https://www.esri.com/arcgis-blog/products/arcgis-desktop/administration/arcreader-general-data-frame-security-update/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@esri.com", "description": [{"lang": "en", "value": "CWE-125"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de lectura fuera de l\u00edmites cuando es analizado un archivo especialmente dise\u00f1ado en Esri ArcReader versiones 10.8.1 (y anteriores) que permite a un atacante no autenticado inducir un problema de divulgaci\u00f3n de informaci\u00f3n en el contexto del usuario actual."}], "lastModified": "2024-11-21T06:00:44.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93D3FB72-81E3-4DA3-88E7-B12BEDE51A53", "versionEndIncluding": "10.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@esri.com"}