CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-3019 – Cross-site scripting vulnerabilities in KNIME Business Hub web pages
https://notcve.org/view.php?id=CVE-2025-3019
31 Mar 2025 — KNIME Business Hub is affected by several cross-site scripting vulnerabilities in its web pages. If a user clicks on a malicious link or opens a malicious web page, arbitrary Java Script may be executed with this user's permissions. This can lead to information loss and/or modification of existing data. The issues are caused by a bug https://github.com/Baroshem/nuxt-security/issues/610 in the widely used nuxt-security module. There are no viable workarounds therefore we strongly recommend to update to one o... • https://www.knime.com/security/advisories#CVE-2025-3019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-2402 – Hard-coded password for object store of KNIME Business Hub
https://notcve.org/view.php?id=CVE-2025-2402
31 Mar 2025 — A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an unauthenticated remote attacker in possession of the password to read and manipulate swapped jobs or read and manipulate in- and output data of active jobs. It is also possible to cause a denial-of-service of most functionality of KNIME Business Hub by writing large amounts of data to the object store directly. There are no viable workarounds therefore we strongly recom... • https://www.knime.com/security/advisories#CVE-2025-2402 • CWE-259: Use of Hard-coded Password •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-2787 – Ingress-nginx vulnerability in KNIME Business Hub
https://notcve.org/view.php?id=CVE-2025-2787
26 Mar 2025 — KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower. Besides applying the publicly known workarounds, we strongly recommend updating to one of the following ver... • https://www.knime.com/security/advisories • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6598 – Denial-of-service on KNIME Business Hub when certain jobs are executed
https://notcve.org/view.php?id=CVE-2024-6598
09 Jul 2024 — A denial-of-service attack is possible through the execution functionality of KNIME Business Hub 1.10.0 and 1.10.1. It allows an authenticated attacker with job execution privileges to execute a job that causes internal messages to pile up until there are no more resources available for processing new messages. This leads to an outage of most functionality of KNIME Business Hub. Recovery from the situation is only possible by manual administrator interaction. Please contact our support for instructions in c... • https://www.knime.com/security/advisories#CVE-2024-6598 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5562 – Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub
https://notcve.org/view.php?id=CVE-2023-5562
12 Oct 2023 — An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has ... • https://www.knime.com/security/advisories#CVE-2023-5562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3140 – KNIME Hub Web Application is vulnerable to clickjacking
https://notcve.org/view.php?id=CVE-2023-3140
07 Jun 2023 — Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. • https://www.knime.com/security/advisories#CVE-2023-3140 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2541 – Sensitive information disclosure in KNIME Hub Web Application
https://notcve.org/view.php?id=CVE-2023-2541
07 Jun 2023 — The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed. • https://www.knime.com/security/advisories#CVE-2023-2541 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44749 – Opening workflows from untrusted resources may override arbitrary file system contents
https://notcve.org/view.php?id=CVE-2022-44749
24 Nov 2022 — A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an... • https://www.knime.com/security/advisories • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0CVE-2022-44748 – Uploading workflows to KNIME Server may override arbitrary file system contents
https://notcve.org/view.php?id=CVE-2022-44748
24 Nov 2022 — A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. This can impact d... • https://www.knime.com/security/advisories • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31500
https://notcve.org/view.php?id=CVE-2022-31500
31 May 2022 — In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions. En KNIME Analytics Platform versiones anteriores a 4.6.0, el instalador de Windows establece permisos inapropiados para el sistema de archivos • https://knime.com • CWE-276: Incorrect Default Permissions •