KNIME logo
Contact usDownload

Security Advisories

Angle PatternAngle PatternPanel BGPanel BG

This page summarizes all security advisories for KNIME Software products and services, including KNIME Analytics Platform, KNIME Server, and KNIME Hub.

Please note that the CVSS Score is an indication of the potential severity of the issue but not the risk. The actual risk needs to be assessed by every user individually because there may be circumstances where a high severity issue is not applicable and therefore does not pose a risk (and vice-versa).

If you want to know more about the CVSS Score, have a look at the resources provided by the Common Vulnerability Scoring System SIG.

CVE-2023-5562 - Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub

An unsafe default configuration in KNIME Analytics Platform before 5.2.2 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently.

KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see the KNIME WebPortal Administration Guide. However, these are off by default which allows for cross-site scripting attacks.

KNIME Analytics Platform 5.2.2 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.

External CVE-2023-41080 - Vulnerability in Apache Tomcat

  • Published: 2023-08-29
  • Affected Product: KNIME Server

vulnerability in the form authentication of Apache Tomcat (versions below 9.0.80) has recently been disclosed. KNIME Server uses form authentication for the KNIME WebPortal but is only affected in none-standard installations (see below).

The vulnerability in Apache Tomcat only affects the so-called ROOT web application. A standard KNIME Server installation runs as the "knime" application and is therefore not affected. If, however, you have a non-standard KNIME Server installation and your KNIME Server runs as ROOT application, you would be affected.

If the URL of your KNIME Server installation starts with "/knime" right after the hostname, e.g. https://knime.server/knime, then you have a standard installation and are not affected

Even if you are running KNIME Server as the ROOT application the impact is rather low. If someone tries to exploit the vulnerability (i.e. redirecting from the login page to a different host) the browser will issue a warning.

We will release KNIME Server 4.16.6 and 4.15.7 in the coming days which include a fixed version of Apache Tomcat (9.0.80). Please note that you have to create a new installation of KNIME Server in order to update Apache Tomcat. Replacing the knime.war file is not sufficient.

CVE-2023-3140 - KNIME Hub Web Application is vulnerable to clickjacking

Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server.

Since embedding KNIME Business Hub and especially Data Apps executed on KNIME Business Hub is sometimes desired, it's now possible to set and configure these HTTP headers. An update to fixed version 1.4.0 is required for this functionality.

This vulnerability was found by Breachlock.

CVE-2023-2541 - Sensitive information disclosure in KNIME Hub Web Application

The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.

Such information could be used by an attacker either directly in an attack or indirectly to support other types of attacks.

There is no workaround. An update to fixed version 1.4.0 is advised.

This vulnerability was found by Zigrin Security.

CVE-2022-44749 - Opening workflows in KNIME Analytics Platform from untrusted sources may override arbitrary file system contents

A directory traversal vulnerability in the ZIP archive extraction routines of any version of KNIME Analytics Platform can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'.

An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written.

This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user.

As a workaround do not open workflows from untrusted sources. Updates to fixed versions 4.6.4 (or 4.4.5 and 4.5.3 once they become available) are advised.

This vulnerability was found internally.

CVE-2022-44748 - Uploading workflows to KNIME Server may override arbitrary file system contents

A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server 4.3.0 and above can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'.

An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server.

This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user. In all cases the attacker has to know the location of files on the server's file system, though.

Note that users that have permissions to upload workflows usually also have permissions to run them on the KNIME Server and can therefore already execute arbitrary code in the context of the KNIME Executor's operating system user. Therefore we score the risk of this vulnerability as low.

There is no workaround to prevent this vulnerability from being exploited. Updates to fixed versions 4.13.6, 4.14.3, or 4.15.3 are advised

This vulnerability was found internally.

External CVE-2022-42889 - Vulnerability in Apache Commons Text

  • Published: 2022-10-25 and updated 2022-10-28
  • Affected Product: none

vulnerability in the StringLookup class of Apache Commons Text (versions below 1.10) has recently been disclosed. It allows remote code execution under certain circumstances and was therefore given a CVSS Score of 9.8. Both KNIME Analytics Platform and KNIME Server make use of Apache Commons Text but not of the affected class. This means our own code is not vulnerable and therefore there is no risk for KNIME users. Also Apache Spark, which is part of the KNIME Extension for Local Big Data Environments and uses Apache Commons Text as well, is not affected by the vulnerability.

CVE-2022-31500 - Windows installer for KNIME Analytics Platform allows for privilege escalation

The installer for KNIME Analytics Platform on Windows before 4.6.0 makes the installation directory writeable to everyone on the system. This is useful so that the user can update or install extensions from a running KNIME Analytics Platform without having to restart the application as administrator. However, this also allows other authenticated local users on the system to (re)place malicious files in the installation e.g. replacing the uninstall program. The latter is run with administration privileges if the application is being uninstalled (by a user with administrative privileges). Starting with KNIME Analytics Platform 4.6.0 the installer will restrict write access to the installation directory to admin users. This also means that in order to update or install additional extensions, KNIME Analytics Platform must first be started with admin privileges.

Note that the KNIME Server installer for Windows, which can create a KNIME Analytics Platform installation used as an executor, is not affected.Workaround

Existing installations can be "fixed" by restricting the permissions of the installation folder manually. If you use the self-extracting archive or the ZIP file the default permissions on Windows apply, which usually means that only the extracting user has write permissions on the installation directory. In this case update or installation of extensions is possible without starting KNIME Analytics Platform as admin user.

The vulnerability was found and reported by Łukasz Rupala & Przemysław Mazurek.

CVE-2021-45096 - External XML Entity Injection with specially crafted workflow files

KNIME Analytics Platform before 4.5.0 with resolve external entities in workflow.knime files when loading a workflow. Using a specially crafted workflow file, potentially sensitive information such as Windows network password hashes maybe leaked to a remote system. It can not be used to leak information from a remote system e.g. when a workflow is loaded on KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

CVE-2021-45097 - Server installer does not restrict permission on auto-install.xml

KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

CVE-2021-44725 - Directory path traversal when requesting client profiles

The server managed customizations functionality of KNIME Server starting at version 4.7.0 is vulnerable to Directory Path Traversal attacks. By manipulating variables that reference files by prepending “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored on the file system including application source code, configuration, and database. Due to the file-based architecture of KNIME Server, this vulnerability allows stealing users' data
such as password hashes, workflows, licenses, jobs, and so on. No authentication is required to exploit this vulnerability.

The issue is fixed in KNIME Server 4.13.4, 4.12.5, and 4.11.6 which have been released today. All customers are advised to update their server's immediately.Workaround

If you cannot update right away you can apply the following workaround which prevents access to client profiles for any user:

  • Locate <apache-tomcat>/webapps/knime/WEB-INF/web.xml
  • Edit the file and add the following block before the existing line <deny-uncovered-http-methods /> at the bottom of the file:
    • ... <security-constraint> <web-resource-collection> <web-resource-name>Profiles <url-pattern>/rest/v4/profiles/contents </web-resource-collection> <auth-constraint /> </security-constraint> <deny-uncovered-http-methods /> </web-app>
  • Restart KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

CVE-2021-44726 - Cross-Site-Scripting vulnerability in old WebPortal login

The old KNIME WebPortal login page up to version 4.13.3 contains a DOM-based XSS vulnerability that once exploited, can be used to run any action as a victim user via malicious JavaScript. If the victim user is an administrator, it could be used to create a new administrator. To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it. No authentication is required to exploit the vulnerability, however, authenticated users can be targeted.

The vulnerability was found and reported by Dawid Czarnecki from NATO