CVE-2022-44748

Name of the Vulnerable Software and Affected Versions KNIME Server versions 4.3.0 through 4.13.5 KNIME Server versions 4.14.0 through 4.14.2 KNIME Server versions 4.15.0 through 4.15.2

Description A directory traversal vulnerability in the ZIP archive extraction routines can result in arbitrary files being overwritten on the server's file system, also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. This can impact data integrity or cause errors in other software, and can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user.

Recommendations For KNIME Server versions 4.3.0 through 4.13.5, update to version 4.13.6. For KNIME Server versions 4.14.0 through 4.14.2, update to version 4.14.3. For KNIME Server versions 4.15.0 through 4.15.2, update to version 4.15.3.