CVE-2021-44726
📋 TL;DR
CVE-2021-44726 is a DOM-based cross-site scripting (XSS) vulnerability in KNIME Server's old WebPortal login page. It allows attackers to inject malicious scripts that execute in users' browsers when they visit the compromised login page. Organizations running KNIME Server versions before 4.13.4 are affected.
💻 Affected Systems
- KNIME Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, credentials, or perform actions as authenticated users, potentially leading to complete system compromise if combined with other vulnerabilities.
Likely Case
Session hijacking, credential theft, or defacement of the login page with malicious content.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires user interaction (visiting the malicious login page), but no authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.13.4
Vendor Advisory: https://docs.knime.com/2021-06/server_update_guide/index.html#_bugfixes
Restart Required: Yes
Instructions:
1. Download KNIME Server version 4.13.4 or later from the official KNIME website. 2. Stop the KNIME Server service. 3. Backup your current installation and configuration. 4. Install the updated version. 5. Restart the KNIME Server service. 6. Verify the update by checking the server version.
🔧 Temporary Workarounds
Disable Old WebPortal Login Page
allConfigure KNIME Server to use only the new login page and disable access to the old WebPortal login page.
Modify server configuration to set 'webportal.old.login.enabled=false' in knime-server.properties
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to the KNIME Server login page to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Check if the KNIME Server version is below 4.13.4 by accessing the server admin interface or checking the installation directory for version files.Check Version:
On Linux: cat /path/to/knime-server/VERSION or check the web interface. On Windows: Check the installation directory for a VERSION file.Verify Fix Applied:
After patching, confirm the server version is 4.13.4 or higher and test the old WebPortal login page for XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual login attempts with script-like parameters in URL or POST data
- Errors related to malformed input on the login page
Network Indicators:
- HTTP requests to the login page containing JavaScript or HTML payloads in parameters
SIEM Query:
source="knime-server" AND (url="*login*" AND (param="*<script>*" OR param="*javascript:*"))