Headline
CVE-2022-31500: Security Advisories | KNIME
In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.
This page summarizes all security advisories for KNIME Software products and services, including KNIME Analytics Platform, KNIME Server, and KNIME Hub.
Please note that the CVSS Score is an indication of the potential severity of the issue but not the risk. The actual risk needs to be assessed by every user individually because there may be circumstances where a high severity issue is not applicable and therefore does not pose a risk (and vice-versa).
If you want to know more about the CVSS Score, have a look at the resources provided by the Common Vulnerability Scoring System SIG.
CVE-2022-31500 - Windows installer for KNIME Analytics Platform allows for privilege escalation
- Published: 2022-05-24
- Affected Product: KNIME Analytics Platform before 4.6.0
- Base CVSS Score: 8.2
- Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:T/RC:X/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:N/MUI:R/MS:C/MC:H/MI:H/MA:H
The installer for KNIME Analytics Platform on Windows before 4.6.0 makes the installation directory writeable to everyone on the system. This is useful so that the user can update or install extensions from a running KNIME Analytics Platform without having to restart the application as administrator. However, this also allows other authenticated local users on the system to (re)place malicious files in the installation e.g. replacing the uninstall program. The latter is run with administration privileges if the application is being uninstalled (by a user with administrative privileges). Starting with KNIME Analytics Platform 4.6.0 the installer will restrict write access to the installation directory to admin users. This also means that in order to update or install additional extensions, KNIME Analytics Platform must first be started with admin privileges.
Note that the KNIME Server installer for Windows, which can create a KNIME Analytics Platform installation used as an executor, is not affected.
Workaround
Existing installations can be “fixed” by restricting the permissions of the installation folder manually. If you use the self-extracting archive or the ZIP file the default permissions on Windows apply, which usually means that only the extracting user has write permissions on the installation directory. In this case update or installation of extensions is possible without starting KNIME Analytics Platform as admin user.
The vulnerability was found and reported by Łukasz Rupala & Przemysław Mazurek.
CVE-2021-45096 - External XML Entity Injection with specially crafted workflow files
- Published: 2021-12-16
- Affected Product: KNIME Analytics Platform before 4.5.0
- Base CVSS Score: 4.3
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
KNIME Analytics Platform before 4.5.0 with resolve external entities in workflow.knime files when loading a workflow. Using a specially crafted workflow file, potentially sensitive information such as Windows network password hashes maybe leaked to a remote system. It can not be used to leak information from a remote system e.g. when a workflow is loaded on KNIME Server.
The vulnerability was found and reported by Dawid Czarnecki from NATO.
****CVE-2021-45097 -** Server installer does not restrict permission on auto-install.xml**
- Published: 2021-12-16
- Affected Product: KNIME Server before 4.12.6 and 4.13.x before 4.13.4
- Base CVSS Score: 2.9
- Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator’s password in a file without appropriate file access controls, allowing all local users to read its content.
The vulnerability was found and reported by Dawid Czarnecki from NATO.
CVE-2021-44725 - Directory path traversal when requesting client profiles
- Published: 2021-12-07
- Affected Product: KNIME Server between 4.7.0 and below 4.11.6, 4.12.5, 4.13.4, respectively
- Base CVSS Score: 7.5
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The server managed customizations functionality of KNIME Server starting at version 4.7.0 is vulnerable to Directory Path Traversal attacks. By manipulating variables that reference files by prepending “dot-dot-slash (…/)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored on the file system including application source code, configuration, and database. Due to the file-based architecture of KNIME Server, this vulnerability allows stealing users’ data
such as password hashes, workflows, licenses, jobs, and so on. No authentication is required to exploit this vulnerability.
The issue is fixed in KNIME Server 4.13.4, 4.12.5, and 4.11.6 which have been released today. All customers are advised to update their server’s immediately.
Workaround
If you cannot update right away you can apply the following workaround which prevents access to client profiles for any user:
Locate <apache-tomcat>/webapps/knime/WEB-INF/web.xml
Edit the file and add the following block before the existing line <deny-uncovered-http-methods /> at the bottom of the file:
… <security-constraint> <web-resource-collection> <web-resource-name>Profiles <url-pattern>/rest/v4/profiles/contents </web-resource-collection> <auth-constraint /> </security-constraint>
<deny-uncovered-http-methods /> </web-app>
Restart KNIME Server.
The vulnerability was found and reported by Dawid Czarnecki from NATO.
CVE-2021-44726 - Cross-Site-Scripting vulnerability in old WebPortal login
- Published: 2021-12-07
- Affected Product: KNIME Server below 4.13.4
- Base CVSS Score: 8.8
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
The old KNIME WebPortal login page up to version 4.13.3 contains a DOM-based XSS vulnerability that once exploited, can be used to run any action as a victim user via malicious JavaScript. If the victim user is an administrator, it could be used to create a new administrator. To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it. No authentication is required to exploit the vulnerability, however, authenticated users can be targeted.
The vulnerability was found and reported by Dawid Czarnecki from NATO
Related news
Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server.
The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.
Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will sensitive information to the caller such as internal IP addresses, hostnames, Istio metadata, internal file paths and more. The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.
A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.