CVE-2021-29099: 
ArcGIS Server vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2021-29099) was identified in certain configurations of ArcGIS Server versions 10.8.1 and earlier. The vulnerability was discovered and disclosed by March 31, 2021, affecting Esri ArcGIS Server installations. This security flaw allows specially crafted web requests to potentially expose unintended information, though notably not customer datasets (Esri Blog).

The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS v3.1 Base Score of 5.3 and a Temporal Score of 4.8. The technical assessment indicates proof-of-concept exploit code maturity, with official fixes available and the vulnerability confirmed by Esri. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Esri Blog).

The vulnerability's impact is primarily focused on information disclosure, though it specifically does not affect customer datasets. The moderate-risk vulnerability received a CVSS base score of 5.3, indicating a relatively moderate severity level (Esri Blog).

Several mitigation measures are available: Web Services using file-based data sources (file Geodatabase, Shape Files, or tile cached services) are unaffected. By default, services published to ArcGIS Enterprise are not available anonymously, preventing unauthenticated attacks. It's recommended to configure database accounts using the principle of least privilege. Esri has released official updates for ArcGIS Server to resolve this vulnerability (Esri Blog).

The vulnerability was responsibly disclosed with acknowledgments to security researchers Elwood Buck and Peter Davies from MindPoint Group who discovered the vulnerability (Esri Blog).