Vulnerability Note VU#795644
Esri ArcGIS server 10.1 contains a blind SQL injection vulnerability
Esri's ArcGIS server version 10.1 contains a blind SQL injection vulnerability that allows remote attackers to execute a subset of SQL commands via a query operation where clause.
The Esri ArcGIS server version 10.1 contains a blind SQL injection vulnerability (CWE-89) for REST service queries. The where form field when constructing a query does not properly sanitize SQL commands from the input.
A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.
Apply an Update
Disable the query
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Environmental Systems Research Institute Inc||Affected||25 Sep 2012||07 Nov 2012|
CVSS Metrics (Learn More)
Thank you to the reporter that wishes to remain anonymous.
This document was written by Jared Allar.
- CVE IDs: CVE-2012-4949
- Date Public: 29 Oct 2012
- Date First Published: 09 Nov 2012
- Date Last Updated: 19 Nov 2012
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.