SQL Injection in Esri Arcgis_server

CVE-2012-4949

SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.

Vulnerability class: SQL Injection

EPSS: 0.013 (80.2th percentile) — read the EPSS interpretation.

Affected products

Esri Arcgis_server — versions 10.1
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

esriarcgis-where-sql-injection(79977) (VDB Entry, vdb-entry, x_refsource_XF)
VU#795644 (x_refsource_CERT-VN, US Government Resource, Third Party Advisory, third-party-advisory)