Known Issue: Arbitrary file upload with any authenticated FME Server account

Liz Sanderson
Liz Sanderson
  • Updated
Known Issue ID FMESERVER-18290
Discovered FME Server 2021.2.3 and 2022.0
Affects All Versions of FME Server
Resolved Unresolved - See Workaround

This known issue affects all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. We have not identified any active exploitation of these vulnerabilities in any of our products.

Symptom

Files can be uploaded to FME Server restricted admin folders by any authenticated account. 

 

Cause

Certain folders for FME Server require admin permissions, but due to limited validation server-side, this may be exploited by non-admin accounts. 

 

Workaround

Steps to prevent arbitrary file uploads:

  1. Ensure accounts follow password best practices 
  2. Disable the ability for User Accounts/User Roles to upload files for both Resources and the Data Upload Service, if file uploads are not critical to business. 
  3. Run FME Server services under a different user with more restricted file access and permissions. 
  4. Install antivirus software and scan any file uploads. 

 

Recognition 

Safe would like to thank Cycura Data Protection Corp. for making this responsible disclosure to us and recognize their contribution to increasing the security standard of FME.


Reporting Security Issues

If you believe you have discovered a vulnerability in FME, our website, or our other products, please email us as quickly as possible at security (at) safe (dot) com. 

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
 

 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.