CVE-2021-45096 Vulnerability Analysis & Exploit Details

CVE-2021-45096 Vulnerability Summary

CVE-2021-45096: KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730.

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 0.2% (probability of exploit)

EPSS Percentile: 58.58% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 41.42% of others.

CVE-2021-45096 References

External References

• https://github.com/dawid-czarnecki/public-vulnerabilities
• https://www.knime.com/changelog-v45
• https://www.knime.com/whats-new-in-knime-45
• https://zigrin.com/advisories/knime-analytics-platform-external-xml-entity-injection/
• https://github.com/dawid-czarnecki/public-vulnerabilities
• https://www.knime.com/changelog-v45
• https://www.knime.com/whats-new-in-knime-45
• https://zigrin.com/advisories/knime-analytics-platform-external-xml-entity-injection/

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Data Serialization External Entities Blowup CAPEC-221 This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

Vulnerable Configurations

• cpe:2.3:a:knime:knime_analytics_platform:-:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:-:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.0.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.3.3:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.3.4:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.4.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.4.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.4.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.5.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.5.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.5.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.5.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.5.3:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.5.3:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.6.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.6.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.6.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.6.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.6.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.6.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.7.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.7.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.7.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.7.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:3.7.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:3.7.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.0.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.0.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.0.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.1.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.1.3:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.1.3:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.1.4:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.1.4:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.2.3:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.2.3:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.2.4:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.2.5:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.2.5:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.3.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.3.3:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.3.3:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.3.4:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.4.1:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.4.2:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.4.2:*:*:*:*:*:*:*
• cpe:2.3:a:knime:knime_analytics_platform:4.4.4:*:*:*:*:*:*:*
  cpe:2.3:a:knime:knime_analytics_platform:4.4.4:*:*:*:*:*:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-3103 – The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file ...
• CVE-2025-3275 – The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up...
• CVE-2025-1457 – The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-S...
• CVE-2025-1093 – The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all ver...
• CVE-2025-3284 – The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Reques...