CVE-2022-44748: 
KNIME server vulnerability analysis and mitigation

A directory traversal vulnerability, also known as 'Zip-Slip', was discovered in KNIME Server since version 4.3.0. The vulnerability affects the ZIP archive extraction routines and was disclosed on November 24, 2022. This security issue impacts the server's file system when processing uploaded KNIME workflows (NVD, Vendor Advisory).

The vulnerability allows an authenticated user with upload permissions to create a KNIME workflow that, when uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) by NIST, while KNIME AG assessed it with a score of 7.1 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) (NVD).

The vulnerability can impact data integrity through file content changes and potentially cause errors in other software through file corruption. In more severe cases, it can lead to remote code execution if executable files are replaced and subsequently executed by the KNIME Server process user. However, the attacker must know the location of files on the server's file system to successfully exploit this vulnerability (NVD, Vendor Advisory).

There is no workaround to prevent this vulnerability from being exploited. KNIME has released fixed versions 4.13.6, 4.14.3, and 4.15.3 to address this issue. Users are advised to update to one of these versions (NVD, Vendor Advisory).