Skip to main content

Fme Server CVE-2018-20402

HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2018-12-23 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 23, 2018 - 21:29 nvd
HIGH 8.8

DescriptionNVD

Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts.

AnalysisAI

Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-1188. Safe Software FME Server through 2018.1 creates and enables three additional accounts in addition to the initial administrator account. The passwords to the three accounts are the same as the usernames, which are guest, user, and author. Logging in with these accounts will grant any user the default privilege roles that were also created for each of the accounts. Affected products include: Safe Fme Server. Version information: through 2018.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2018-20402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy