Affected Product: FME Flow /FME Server

Affected Versions: Versions prior to 2022.2.5 (FME Server) and (FME Flow)

Fixed Version: FME Server 2022.2.5 and FME Flow (formerly FME Server) 2023.0

CVE-Number: CVE-2023-35801

Severity: 7.7 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N)

Discovered by Ing. Simon Schönegger, BSc, MSc, Lejla Sarcevic, BSc, MSc

During a security assessment for a client, the security testers determined that the client was utilizing FME Server version 2022.1.1. The testers uncovered that this particular version was susceptible to a Directory Traversal/File Inclusion vulnerability, which results in the unauthorized reading and writing of arbitrary files. In order to exploit this vulnerability, an attacker would require access to a user account with at least write privileges.

Proof of Concept

FME Server offers the capability to integrate various resources, including network-based resources. FME Server checks if a given path for a network-based resource refers to a network-based resource by verifying the string’s format. If the string does not begin with \ the validation fails, and the resource cannot be saved. However, if a valid network path is initially provided, and the resource is later edited, the validation will allow any path, including paths from the local file system.

For further information, please refer to the vendor’s advisory: https://community.safe.com/s/article/Known-Issue-FME-Flow-Directory-Traversal-Vulnerability

Vendor contact timeline

DateAction
2023/01/02Discovery of the vulnerability
2023/04/19Disclosure of vulnerability using the vendors support mail
2023/04/28Vendors respond that they acknowledge the finding
2023/05/10Vendor responds that the vulnerabilities will be fixed in FME Server 2022.2.5 and FME Flow 2023.0 and asks for a dely of the public disclosure until an advisory is published
2023/05/20Vendor agrees to request CVE nuber for vulnerability
2023/06/17MITRE assigns CVE-2023-35801
2023/06/22Vendor publishes advisory regarding vulnerability