CVE-2021-29108
There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below.
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may allow a remote, authenticated attacker who is able to intercept and modify a SAML assertion to impersonate another account (XML Signature Wrapping Attack). In addition patching, Esri also strongly recommends as best practice for SAML assertions to be signed and encrypted.
Existe una vulnerabilidad de escalada de privilegios en los inicios de sesión específicos de la organización en Esri Portal for ArcGIS versiones 10.9 y anteriores que puede permitir que un atacante remoto autenticado que pueda interceptar y modificar una aserción SAML suplante a otra cuenta (XML Signature Wrapping Attack). Además de la aplicación de parches, Esri también recomienda encarecidamente como práctica recomendada que las aserciones SAML estén firmadas y cifradas.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-23 CVE Reserved
- 2021-10-01 CVE Published
- 2023-12-24 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
- CAPEC-473: Signature Spoof
References (2)
URL | Tag | Source |
---|---|---|
https://downloads.esri.com/RESOURCES/ENTERPRISEGIS/Organization-Specific_Logins_FAQs.pdf | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Esri Search vendor "Esri" | Portal For Arcgis Search vendor "Esri" for product "Portal For Arcgis" | <= 10.9 Search vendor "Esri" for product "Portal For Arcgis" and version " <= 10.9" | - |
Affected
|