CVE-2021-29101
ArcGIS GeoEvent Server has a Directory Traversal security vulnerability.
In short
ArcGIS GeoEvent Server versions 10.8.1 and earlier have a flaw that lets remote attackers read any file on the system without needing to log in. An attacker can manipulate file paths to access sensitive information stored on the server.
Technical detail
An unauthenticated remote attacker can exploit a directory traversal vulnerability (CWE-23) in ArcGIS GeoEvent Server ≤10.8.1 to read arbitrary files by manipulating path traversal sequences in requests. The vulnerability is read-only, limiting direct system modification, but enables information disclosure of sensitive files on the affected system.
Summary generated and translated by AI from the official description.
ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
Esri · ArcGIS GeoEvent ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →