Skip to main content
Solved

FMEFlow affected by CVE-2024-50379 and CVE-2024-56337

  • January 9, 2025
  • 4 replies
  • 178 views
kihen
Participant
Forum|alt.badge.img

Hi! I am getting a warning that FMEFlow is affected by CVE-2024-56337. I am running FME Flow 2023.1.1

Is this correct?
Is there a fix or are these CVE not applicable?

 

Best regards

/Kim
 

Best answer by zoe.forbes

Hi Kim,

I can confirm FME Flow is not affected by CVE-2024-56337, CVE-2024-50379 or CVE-2025-24813, since these vulnerabilities require write access to the default servlet which Flow doesn’t provide.

Sorry it took so long for you to get a response to this! 

Thanks,
Zoe

 

Edit: Since this response, we’ve published an article on CVE-2025-24813’s impact on FME.

View original
    kalbert
    skime3
    dianne.e.davis
    3 people upvoted this
    • kalbert
      kalbert
    • skime3
      skime3
    • dianne.e.davis
      dianne.e.davis
    Did this help you find an answer to your question?

    4 replies

    zoe.forbes
    Safer
    Forum|alt.badge.img+1
    • zoe.forbesSafer
    • Safer
    • Best Answer
    • March 19, 2025

    Hi Kim,

    I can confirm FME Flow is not affected by CVE-2024-56337, CVE-2024-50379 or CVE-2025-24813, since these vulnerabilities require write access to the default servlet which Flow doesn’t provide.

    Sorry it took so long for you to get a response to this! 

    Thanks,
    Zoe

     

    Edit: Since this response, we’ve published an article on CVE-2025-24813’s impact on FME.

    todd_davis
    Supporter
    Forum|alt.badge.img+20
    • todd_davisSupporter
    • Supporter
    • March 19, 2025

    @zoeforbes Is there going to be any article regarding CVE-2025-24813, which we can point clients to?

    My indication yesterday to clients was that the default servlet is readonly, but I also said you guys would be looking into it to confirm.

    zoe.forbes
    Safer
    Forum|alt.badge.img+1
    • zoe.forbesSafer
    • Safer
    • March 19, 2025

    Hi ​@todd_davis, there isn’t an article yet but I’ve let the Knowledge Base team know it’s been requested. They do however tend to only create articles for vulnerabilities affecting FME, so one may not be published.

    If clients remain concerned, please feel free to submit ticket with them CC’d. Unfortunately, there isn’t much more information we can provide beyond confirming that the vulnerabilities I mentioned above don’t affect Flow as the default servlet is read-only.

    todd_davis
    Supporter
    Forum|alt.badge.img+20
    • todd_davisSupporter
    • Supporter
    • March 19, 2025

    Thanks ​@zoe.forbes. I have sent relevant clients a screenshot of your initial response, so hopefully that will suffice.

    Reply


    Helpful Members This Week

    Community Stats

    30,921
    Posts
    117,178
    Replies
    38,725
    Members

    Latest FME

    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings
    A product of
    Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.