CVE-2022-44748 is a path traversal vulnerability affecting KNIME Server versions 4.3.0, 4.14.0, and 4.15.0. The flaw resides in the ZIP archive extraction routines used by the server when processing uploaded KNIME workflows. Specifically, the vulnerability allows an authenticated user with permissions to upload workflows to craft a malicious ZIP archive that, upon extraction, can overwrite arbitrary files on the server's file system. This is possible because the server does not properly restrict pathname traversal sequences (e.g., '..') within the ZIP entries, enabling files to be written outside the intended extraction directory. The attacker must be authenticated and have upload rights, and must also know the file system layout to target specific files for overwriting. The impact of this vulnerability includes data integrity compromise through file content modification or corruption, disruption of other software relying on the overwritten files, and potentially remote code execution if executable files are replaced and subsequently run by the KNIME Server process user. However, it is important to note that users with upload permissions typically also have the ability to execute workflows, which already grants them the capability to run arbitrary code under the KNIME Executor's OS user context. There is no known workaround to mitigate this vulnerability without applying an update. Fixed versions are available in KNIME Server 4.13.6, 4.14.3, and 4.15.3, and upgrading to these versions is strongly recommended to remediate the issue. No known exploits have been reported in the wild to date.

For European organizations using KNIME Server, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of critical data and systems. Since KNIME Server is widely used in data analytics, scientific research, and business intelligence, exploitation could lead to unauthorized modification or destruction of data files, potentially corrupting analytical results or business processes. The ability to overwrite arbitrary files could disrupt dependent applications or services, causing operational downtime. Furthermore, the possibility of remote code execution elevates the threat to full system compromise, allowing attackers to execute malicious payloads with the privileges of the KNIME Server process user. This could lead to lateral movement within the network, data exfiltration, or deployment of ransomware. The requirement for authenticated access limits the attack surface to insiders or compromised accounts, but given that users with upload permissions can already execute arbitrary code, this vulnerability primarily lowers the barrier for privilege escalation or stealthy persistence. The lack of a workaround means that vulnerable systems remain exposed until patched, increasing the urgency for remediation. Organizations in sectors with high data sensitivity, such as finance, healthcare, and research institutions, are particularly at risk due to the potential impact on data integrity and availability.

1. Immediate upgrade of KNIME Server to one of the fixed versions: 4.13.6, 4.14.3, or 4.15.3. This is the only effective mitigation as no workaround exists. 2. Review and restrict user permissions rigorously: limit workflow upload and execution rights to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 3. Implement strong authentication mechanisms and monitor for unusual upload activities to detect potential exploitation attempts. 4. Conduct file system integrity monitoring on the server to detect unauthorized file modifications, especially in critical directories. 5. Employ network segmentation and access controls to isolate KNIME Server from sensitive infrastructure, reducing the impact of a potential compromise. 6. Regularly audit and review server logs for signs of suspicious behavior related to workflow uploads or file system changes. 7. Educate users with upload permissions about the risks and enforce strict operational security policies. 8. Consider deploying application-layer firewalls or intrusion detection systems capable of inspecting ZIP archive contents if feasible, to detect malicious payloads before extraction.