Knime: >> Business Hub >> 1.11.0 Security Vulnerabilities
Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present).
CVSS Score
4.3
EPSS Score
0.0
Published
2025-10-02
An open redirect vulnerability existed in KNIME Business Hub prior to version 1.16.0. An unauthenticated remote attacker could craft a link to a legitimate KNIME Business Hub installation which, when opened by the user, redirects the user to a page of the attackers choice. This might open the possibility for fishing or other similar attacks. The problem has been fixed in KNIME Business Hub 1.16.0.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-10-02
KNIME Business Hub is affected by several cross-site scripting vulnerabilities in its web pages. If a user clicks on a malicious link or opens a malicious web page, arbitrary Java Script may be executed with this user's permissions. This can lead to information loss and/or modification of existing data.
The issues are caused by a bug https://github.com/Baroshem/nuxt-security/issues/610 in the widely used nuxt-security module.
There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub:
* 1.13.3 or later
* 1.12.4 or later
CVSS Score
7.2
EPSS Score
0.0
Published
2025-03-31
A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an unauthenticated remote attacker in possession of the password to read and manipulate swapped jobs or read and manipulate in- and output data of active jobs. It is also possible to cause a denial-of-service of most functionality of KNIME Business Hub by writing large amounts of data to the object store directly.
There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub:
* 1.13.2 or later
* 1.12.3 or later
* 1.11.3 or later
* 1.10.3 or later
CVSS Score
8.6
EPSS Score
0.001
Published
2025-03-31
KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower.
Besides applying the publicly known workarounds, we strongly recommend updating to one of the following versions of KNIME Business Hub:
* 1.13.3 or above
* 1.12.4 or above
* 1.11.4 or above
* 1.10.4 or above
*
CVSS Score
8.8
EPSS Score
0.001
Published
2025-03-26