CVE-2022-38342 - OpenCVE

Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Safe	Fme Server

Configuration 1 [-]

OR	cpe:2.3:a:safe:fme_server::::::::
	cpe:2.3:a:safe:fme_server::::::::

No data.

References

Link	Providers
https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item
https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-13T00:00:00

Updated: 2024-08-03T10:54:03.187Z

Reserved: 2022-08-15T00:00:00

Link: CVE-2022-38342

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-13T20:15:09.833

Modified: 2022-10-27T19:58:33.833

Link: CVE-2022-38342

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:safe:fme_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "94E0610F-AA67-4A1F-9773-7FA5BD1A5849", "versionEndExcluding": "2021.2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:safe:fme_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7D9EE5F-18D1-4F52-94B3-F51092DFDFBD", "versionEndExcluding": "2022.0.0.2", "versionStartIncluding": "2022.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks."}, {"lang": "es", "value": "Se ha detectado que Safe Software FME Server v2021.2.5, v2022.0.0.2 y posteriores contienen una vulnerabilidad de entidad externa XML (XXE) que permite a los atacantes autentificados realizar ataques de exfiltraci\u00f3n de datos o de falsificaci\u00f3n de solicitudes del lado del servidor (SSRF)"}], "id": "CVE-2022-38342", "lastModified": "2022-10-27T19:58:33.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2022-09-13T20:15:09.833", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}