{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-35056","assignerOrgId":"9119a7d8-5eab-497f-8521-727c672e3725","state":"PUBLISHED","assignerShortName":"cisa-cg","dateReserved":"2025-04-15T20:56:24.406Z","datePublished":"2025-10-09T20:21:10.405Z","dateUpdated":"2025-10-15T16:15:37.325Z"},"containers":{"cna":{"descriptions":[{"lang":"en","value":"Newforma Info Exchange (NIX) '/UserWeb/Common/MarkupServices.ashx' 'StreamStampImage' accepts an encrypted file path and returns an image of the specified file. An authenticated attacker can read arbitrary files subject to the privileges of NIX, typically 'NT AUTHORITY\\NetworkService', and the ability of StreamStampImage to process the file. The encrypted file path can be generated using the shared, hard-coded secret key described in CVE-2025-35052. This vulnerability cannot be exploited as an 'anonymous' user as described in CVE-2025-35062."}],"affected":[{"vendor":"Newforma","product":"Project Center","defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"2024.1","versionType":"custom"},{"version":"2024.1","status":"unaffected"}]}],"problemTypes":[{"descriptions":[{"description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE","cweId":"CWE-22"}]}],"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"LOW"}},{"cvssV4_0":{"version":"4.0","baseScore":5.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N","userInteraction":"NONE","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","subIntegrityImpact":"NONE","vulnIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","vulnConfidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-08-20T22:41:23.259717Z","id":"CVE-2025-35056","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"Newforma Info Exchange (NIX) limited file read","references":[{"name":"url","url":"https://www.cve.org/CVERecord?id=CVE-2025-35062"},{"name":"url","url":"https://www.cve.org/CVERecord?id=CVE-2025-35056"},{"name":"url","url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json"}],"credits":[{"value":"Shadron Gudmunson,Luke Rindels,Robert McCain,Asjha Stus,Adam Merrill,Ryan Kao,Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)","lang":"en"}],"datePublic":"2025-10-09T00:00:00.000Z","providerMetadata":{"orgId":"9119a7d8-5eab-497f-8521-727c672e3725","shortName":"cisa-cg","dateUpdated":"2025-10-09T20:21:10.405Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-10T19:33:31.276952Z","id":"CVE-2025-35056","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-15T16:15:37.325Z"}}]}}