CVE-2022-44748 – Uploading workflows to KNIME Server may override arbitrary file system contents

https://notcve.org/view.php?id=CVE-2022-44748

24 Nov 2022 — A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. This can impact d... • https://www.knime.com/security/advisories • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •