We are reliable, trustworthy, and ready for challenges! Hire Us
KNIME Analytics Platform – External XML entity injection
- Home
- Advisories
- KNIME Analytics Platform – External XML entity injection
DATE
6.12.2021
Affected Vendor
KNIME AG
Affected Product
KNIME Analytics Platform – open source software for creating data science – https://www.knime.com/knime-software
Vulnerable version
4.4
Fixed version
4.5
CVSS
4.7 Medium CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Recommendations
Update to KNIME Analytics Platform version 4.5
Vulnerability details
KNIME Analytics Profile version 4.4 is vulnerable to external XML entity injection. To exploit this vulnerability a victim must open a crafted workflow file (.knwf). The application then will initiate a network connection to the attacker’s controlled server and steal sensitive information such as password hashes. No privileges are required to exploit this vulnerability.
CVE
CVE-2021-45096
Credits
Dawid Czarnecki
References
Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.