Known Issue: Lack of server-side validation when creating a new user in FME Server

Liz Sanderson
Liz Sanderson
  • Updated
Known Issue ID FMESERVER-18291
CVE CVE-2022-38341 [High]
Discovered FME Server 2021.2.3
Affects All Versions of FME Server
Resolved FME Server 2021.2.6

This known issue affects all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. We have not identified any active exploitation of these vulnerabilities in any of our products.

Symptom

CVE-2022-38341 [NIST High severity]: When creating a new user in FME Server, FME Server does not validate the data on the backend, which can result in the username being overwritten via a POST request. 

 

Cause

There is a mismatch in data validation between the client-side and the server-side of FME Server. If the username contains invalid characters, due to the mismatch in validation, this username can be overwritten which may result in an unwanted user gaining access.
 

Resolution 

Upgrade FME Server to 2021.2.6 or newer where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners

If you are unable to upgrade at this time, ensure that anyone with permission to create new users follows secure password practices

We recommend usernames only contain letters and numbers. 

 

Recognition 

Safe would like to thank Cycura Data Protection Corp. for making this responsible disclosure to us and recognize their contribution to increasing the security standard of FME.

 

Reporting Security Issues

If you believe you have discovered a vulnerability in FME, our website, or our other products, please email us as quickly as possible at security (at) safe (dot) com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.