In addition to the above-mentioned information, we have also compiled a list of issues that were fixed in the latest version of Knowage-Server. The list is given below. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, there was an issue with Knowage-Server where it did not allow setting the `X-Frame-Options` header to `SAMEORIGIN` when using the X-Sendfile or X-Redirect HTTP request options. This could have led to Cross-site scripting attacks when using certain web-based management interfaces. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, it was possible to set the `X-Content-Type-Options` header to `nosniff` when using the X-Sendfile or X-Redirect HTTP request options. This could have allowed Cross-site scripting attacks when using certain web-based management interfaces. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, it was possible to set the `X-XSS-Protection` header to `1` when using the X-Sendfile or X-Redirect HTTP request options. This could have allowed Cross-site scripting attacks when using certain web-based management interfaces. - In versions prior to 7.4.22, 8.0.
Knowage-Cloud
Knowage-Server is a web service running on a server that has been configured to serve Knowage-Cloud. The web app runs on Node.js and is used by the User in order to search for, save and retrieve some of the latest data from the Knowage-Cloud. - In versions prior to 7.4.22, 8.0.9, and 8.1.0, when using `X-Content-Type-Options` or `X-XSS-Protection`, it was possible to set these headers with any value other than `nosniff`. This could have allowed Cross-site scripting attacks when using certain web based management interfaces.
Timeline
Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/17/2022 13:30:00 UTC
References
- https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw
- https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39295