Le développeur de FME, Safe Software Inc., nous a informés que de nouvelles versions de FME Server sont disponibles et qu'elles comblent les failles de sécurité connues. Dans la lettre suivante du fabricant, vous trouverez des informations détaillées et des liens vers des informations complémentaires. Veuillez noter que vous devez (actuellement) vous inscrire pour accéder aux articles de la communauté FME.
At Safe, we understand that security is a growing concern for your organization. We take the protection of your data very seriously, and we are committed to taking a proactive and transparent approach to informing you of security advisories in our products.
We have released an update to FME Server that addresses six vulnerabilities in FME Server that were recently discovered and disclosed to us privately. This update, available in FME 2021.2.6 and 2022.0.1.1, fixes the majority of these vulnerabilities and is available for download here. We have also published mitigation guidance for users to further protect their FME Server (viewable by registered FME Community users only).
The six identified vulnerabilities affect all versions of FME Server. Public-facing FME Server instances, including FME Cloud, are at higher risk. FME Desktop is not impacted. We have not identified any active exploitation of these vulnerabilities in any of our products.
To learn how to limit your exposure and mitigate these issues, please see the below articles:
- Known Issue: Arbitrary file upload with any authenticated FME Server account https://community.safe.com/s/article/Known-Issue-Arbitrary-file-upload-with-any-authenticated-FME-Server-account
- Known Issue: FME Server vulnerability with arbitrary path traversal and file upload
- Known Issue: FME Server XXE vulnerability via adding a repository item
- Known Issue: Lack of server-side validation when creating a new user in FME Server
- Known Issue: FME Server missing validation which may result in an unwanted redirect upon login
- Known Issue: FME Server unauthenticated and authenticated stored cross-site scripting (XSS) Vulnerabilities
If you believe you have discovered a vulnerability in our products, please email us as quickly as possible at email@example.com.
Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.