CVE-2023-38702
📋 TL;DR
This vulnerability allows authenticated users with low privileges to upload malicious JSP files to the Knowage server via an unauthorized endpoint, leading to remote code execution. It affects Knowage analytics and business intelligence suite installations. Attackers can execute arbitrary code on the server by accessing the uploaded JSP file.
💻 Affected Systems
- Knowage Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing data theft, lateral movement, ransomware deployment, or complete system takeover.
Likely Case
Attacker gains shell access, exfiltrates sensitive data, installs backdoors, or uses server for further attacks.
If Mitigated
Unauthorized file upload prevented, maintaining normal business intelligence functionality.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.8
Vendor Advisory: https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-7mjh-73q3-c3fc
Restart Required: Yes
Instructions:
1. Backup your Knowage installation and data. 2. Download Knowage version 8.1.8 or later from the official repository. 3. Follow the upgrade instructions in the Knowage documentation. 4. Restart the Knowage service. 5. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Block unauthorized endpoint access
allConfigure web server or firewall to block access to /knowage/restful-services/dossier/importTemplateFile endpoint
# Example for Apache: RewriteRule ^/knowage/restful-services/dossier/importTemplateFile$ - [F]
# Example for Nginx: location ~ ^/knowage/restful-services/dossier/importTemplateFile$ { return 403; }
Restrict file upload permissions
allConfigure file system permissions to prevent JSP file execution in knowageqbeengine directory
# Linux: chmod -R 644 /path/to/knowageqbeengine/*.jsp
# Windows: Use ACL to deny execute permissions on JSP files
🧯 If You Can't Patch
- Implement strict access controls and monitor the /knowage/restful-services/dossier/importTemplateFile endpoint
- Deploy web application firewall (WAF) rules to block JSP file uploads and suspicious requests
🔍 How to Verify
Check if Vulnerable:
Check Knowage version: if between 6.x.x and 8.1.7 inclusive, the system is vulnerable. Verify if /knowage/restful-services/dossier/importTemplateFile endpoint is accessible without proper authorization.Check Version:
Check the Knowage web interface admin panel or examine the application files for version information.Verify Fix Applied:
After patching, confirm version is 8.1.8 or higher and test that the importTemplateFile endpoint now requires proper authorization.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /knowage/restful-services/dossier/importTemplateFile
- File upload events to knowageqbeengine directory
- JSP file creation in knowageqbeengine folder
- Unusual process execution from Knowage directories
Network Indicators:
- POST requests with file uploads to the vulnerable endpoint
- Subsequent requests to /knowageqbeengine/*.jsp files
SIEM Query:
source="web_server" AND (url="/knowage/restful-services/dossier/importTemplateFile" OR url="/knowageqbeengine/*.jsp")