Known Issue: FME Flow Arbitrary File Upload Vulnerability

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

  • FME 2022.2
Known Issue ID FMEFLOW-18627
CVE Pending
Discovered 2022.0.1
Affects FME Server versions prior to 2022.2
Resolved  FME Server 2022.2+ and FME Flow (formerly FME Server) 2023.0+

FME Flow Hosted (formerly FME Cloud) instances are not affected, as network shared resources are disallowed on FME Flow instances running on FME Flow Hosted. We have not identified active exploitation of this vulnerability in any of our products.

Symptom

FME Flow (formerly FME Server) offers the capability to create connections to network resources. The vulnerability, if exploited, allows for an authenticated user with access to an FME Flow instance to download sensitive files or upload files, such as a web shell to the instance.
 

Cause

When updating the resource, a logic flaw in resource creation and modification can be abused to gain read and write access to arbitrary locations on the instance.
 

Severity

Safe Software assesses the severity of this vulnerability as High, according to our calculated CVSS score of 7.4. This is our assessment, and you should evaluate its applicability to your own IT environment.
 

Resolution 

Upgrade to FME Server 2022.2 or FME Flow 2023.0 or newer, where this issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners
 

Workarounds

If you are unable to upgrade to FME Server 2022.2+ or FME Flow 2023.0+, we recommend the following workaround:

  • FME Flow administrators can limit write permission for Resources to administrators only. This can be done from the Role Management page by turning off Create permission on all Resources and turning off Write permission on each resource connection.

ArbitraryFileUpload.png
 

Recognition 

We would like to thank Malware Security for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.
 

Reporting Security Issues

If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.
 

Support

If you have questions or concerns regarding this advisory, please raise a support request
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.