CVE-2021-45096

low-risk
Published 2021-12-16

KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730.

Do I need to act?

-
0.47% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.7/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Knime Analytics Platform

Affected Vendors

Knime

References (8)

Third Party Advisory https://github.com/dawid-czarnecki/public-vulnerabilities
Release Notes https://www.knime.com/changelog-v45
Product https://www.knime.com/whats-new-in-knime-45
https://zigrin.com/advisories/knime-analytics-platform-external-xml-entity-injec...
Third Party Advisory https://github.com/dawid-czarnecki/public-vulnerabilities
Release Notes https://www.knime.com/changelog-v45
Product https://www.knime.com/whats-new-in-knime-45
https://zigrin.com/advisories/knime-analytics-platform-external-xml-entity-injec...
26
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal