Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

DATE

10.12.2021

Affected Vendor

KNIME AG

Affected Product

KNIME Server – Enterprise software for putting your data science workflows into production – https://www.knime.com/knime-software

Vulnerable version

4.13.3, 4.12.4, 4.11.5

Fixed version

4.13.4, 4.12.5, 4.12.6

Recommendations

Update to KNIME Server version 4.13.4, 4.12.5, or 4.12.6 

Vulnerability details

The Profiles section of the KNIME server web application up to version 4.13.3 is vulnerable to Directory Path Traversal attacks.
By manipulating variables that reference files by prepending “dot- dot- slash (../)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored on the file system including application source code, configuration, and database.

Due to the file-based architecture of the KNIME server application, this vulnerability allows stealing users’ data such as password hashes, workflows, licenses, jobs, and so on.

No authentication is required to exploit this vulnerability.

CVE

CVE-2021-44725

Credits

Dawid Czarnecki

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

NEED A CONSULTATION?