CVE-2012-4949

medium

Published 2012-11-14 · Modified 2026-04-29

CVSS v3

—

CVSS v2

6.5

VIR risk

6.5

Description

SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Application impact

Vendor	Product	Versions	Fixed
esri	arcgis_server	`10.1`

References

http://www.kb.cert.org/vuls/id/795644
https://exchange.xforce.ibmcloud.com/vulnerabilities/79977
http://www.kb.cert.org/vuls/id/795644
https://exchange.xforce.ibmcloud.com/vulnerabilities/79977

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.