CVE-2021-29112: 
Esri ArcGIS ArcReader vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2021-29112) was identified in Esri ArcReader 10.8.1 and earlier versions. The vulnerability is classified as CWE-125 (Out-of-Bounds Read) and affects the software's file parsing functionality (NVD, Esri Blog).

The vulnerability is categorized as an Out-of-Bounds Read (CWE-125) with a CVSS v3.1 base score of 3.3 and a temporal score of 2.9. The technical assessment indicates that the vulnerability requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). The scope is unchanged (S:U), with low confidentiality impact (C:L), no integrity impact (I:N), and no availability impact (A:N) (Esri Blog).

The vulnerability's impact is primarily limited to confidentiality, with the potential for unauthorized information disclosure through out-of-bounds read operations when parsing specially crafted files. The low CVSS score of 3.3 indicates a relatively minor security impact (Esri Blog).

Esri has released ArcReader 10.8.2 which includes fixes for this vulnerability. The company recommends users transition to updated alternatives for publishing and sharing map packages with ArcGIS Pro, and workflows using the ArcGIS Pro version of the ArcGIS Publisher extension in conjunction with ArcGIS Field Maps. ArcReader 10.8.2 is noted as the last release of the software (Esri Blog).