The FME developer Safe Software Inc. has informed us that new versions for FME Server are available which close known security vulnerabilities. In the following letter from the manufacturer you will find detailed information and links to further information. Please note that (currently) you need to register to access the articles in the FME Community.
At Safe, we understand that security is a growing concern for your organization. We take the protection of your data very seriously, and we are committed to taking a proactive and transparent approach to informing you of security advisories in our products.
We have released an update to FME Server that addresses six vulnerabilities in FME Server that were recently discovered and disclosed to us privately. This update, available in FME 2021.2.6 and 2022.0.1.1, fixes the majority of these vulnerabilities and is available for download here. We have also published mitigation guidance for users to further protect their FME Server (viewable by registered FME Community users only).
The six identified vulnerabilities affect all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. FME Desktop is not impacted. We have not identified any active exploitation of these vulnerabilities in any of our products.
To learn how to limit your exposure and mitigate these issues, please see the below articles:
- Known Issue: Arbitrary file upload with any authenticated FME Server account https://community.safe.com/s/article/Known-Issue-Arbitrary-file-upload-with-any-authenticated-FME-Server-account
- Known Issue: FME Server vulnerability with arbitrary path traversal and file upload
- Known Issue: FME Server XXE vulnerability via adding a repository item
- Known Issue: Lack of server-side validation when creating a new user in FME Server
- Known Issue: FME Server missing validation which may result in an unwanted redirect upon login
- Known Issue: FME Server unauthenticated and authenticated stored cross-site scripting (XSS) Vulnerabilities
If you believe you have discovered a vulnerability in our products, please email us as quickly as possible at firstname.lastname@example.org.
Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.