CVE-2023-35801

HIGH

Safe Fme Server < 2022.2.5 - Path Traversal

Title source: rule

Description

A directory traversal vulnerability in Safe Software FME Server before 2022.2.5 allows an attacker to bypass validation when editing a network-based resource connection, resulting in the unauthorized reading and writing of arbitrary files. Successful exploitation requires an attacker to have access to a user account with write privileges. FME Flow 2023.0 is also a fixed version.

Exploits (1)

nomisec WRITEUP

by trustcves · poc

https://github.com/trustcves/CVE-2023-35801

View Code ZIP pw:eip

References (3)

Core 3

Core References

Product

https://community.safe.com/s/

Mitigation, Vendor Advisory

https://community.safe.com/s/article/Known-Issue-FME-Flow-Directory-Traversal-Vulnerability

Release Notes

https://downloads.safe.com/fme/2023/whatsnew_server_2023_0_0_3.txt

Scores

CVSS v3 8.1

EPSS 0.0036

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

safe/fme_server < 2022.2.5

Published Jun 23, 2023

Tracked Since Feb 18, 2026