CVE-2022-38340 - OpenCVE

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a Path Traversal vulnerability via the component fmedataupload.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Safe	Fme Server

Configuration 1 [-]

OR	cpe:2.3:a:safe:fme_server::::::::
	cpe:2.3:a:safe:fme_server::::::::

References

Link	Resource
https://community.safe.com/s/article/Known-Issue-Arbitrary-file-upload-with-any-authenticated-FME-Server-account	Third Party Advisory
https://community.safe.com/s/article/Known-Issue-FME-Server-vulnerability-with-arbitrary-path-traversal-and-file-upload	Patch Vendor Advisory
https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure/	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-20T00:00:00

Updated: 2022-10-13T00:00:00

Reserved: 2022-08-15T00:00:00

Link: CVE-2022-38340

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-20T18:15:10.310

Modified: 2022-11-03T19:45:35.417

Link: CVE-2022-38340

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:safe:fme_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1AA548A-73C3-4845-B7A6-B87E1C48F205", "versionEndExcluding": "2021.2.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:safe:fme_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "86F1A984-B42D-4B51-9359-F5AEB4E9D6F0", "versionEndExcluding": "2022.0.1", "versionStartIncluding": "2022.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a Path Traversal vulnerability via the component fmedataupload."}, {"lang": "es", "value": "Se ha descubierto que Safe Software FME Server v2021.2.5, v2022.0.0.2 e inferiores contienen una vulnerabilidad de Path Traversal a trav\u00e9s del componente fmedataupload"}], "id": "CVE-2022-38340", "lastModified": "2022-11-03T19:45:35.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2022-09-20T18:15:10.310", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://community.safe.com/s/article/Known-Issue-Arbitrary-file-upload-with-any-authenticated-FME-Server-account"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://community.safe.com/s/article/Known-Issue-FME-Server-vulnerability-with-arbitrary-path-traversal-and-file-upload"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}