CVE-2021-29118: 
Esri ArcGIS ArcReader vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2021-29118) was identified in Esri ArcReader 10.8.1 and earlier versions. The vulnerability allows an unauthenticated attacker to trigger information disclosure in the context of the current user when parsing specially crafted files. This security issue was addressed with the release of ArcReader 10.8.2, which was announced as the final version of the software (Esri Blog).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) issue. According to the CVSS 3.1 scoring system, it received a base score of 5.5 (MEDIUM) from NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while the vendor Environmental Systems Research Institute, Inc. assessed it with a lower base score of 3.3 (LOW) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability can lead to information disclosure when exploited, with the potential impact limited to the context of the current user. The severity of the information disclosure varies between assessments, with NIST rating the confidentiality impact as High, while Esri rates it as Low (NVD, Esri Blog).

Esri has released ArcReader 10.8.2 as the final version, which includes fixes for this vulnerability. The vendor strongly encourages users to transition to updated alternatives, including ArcGIS Pro for publishing and sharing map packages, and the ArcGIS Pro version of the ArcGIS Publisher extension in conjunction with ArcGIS Field Maps (Esri Blog).