CVE-2022-38342 - OpenCVE

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Safe	Fme Server

Configuration 1 [-]

OR	cpe:2.3:a:safe:fme_server::::::::
	cpe:2.3:a:safe:fme_server::::::::

References

Link	Resource
https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item	Vendor Advisory
https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-13T00:00:00

Updated: 2022-10-13T00:00:00

Reserved: 2022-08-15T00:00:00

Link: CVE-2022-38342

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-13T20:15:09.833

Modified: 2022-10-27T19:58:33.833

Link: CVE-2022-38342

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:safe:fme_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "94E0610F-AA67-4A1F-9773-7FA5BD1A5849", "versionEndExcluding": "2021.2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:safe:fme_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7D9EE5F-18D1-4F52-94B3-F51092DFDFBD", "versionEndExcluding": "2022.0.0.2", "versionStartIncluding": "2022.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks."}, {"lang": "es", "value": "Se ha detectado que Safe Software FME Server v2021.2.5, v2022.0.0.2 y posteriores contienen una vulnerabilidad de entidad externa XML (XXE) que permite a los atacantes autentificados realizar ataques de exfiltraci\u00f3n de datos o de falsificaci\u00f3n de solicitudes del lado del servidor (SSRF)"}], "id": "CVE-2022-38342", "lastModified": "2022-10-27T19:58:33.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2022-09-13T20:15:09.833", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}