knime 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、パス処理の欠陥、vendor risk xxe, and vendor risk open redirect があり、vendor surface production workloads and vendor surface software deployment の利用場面で ファイル上書き and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-14262 | A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved into the catalog service using the wrong owner permissions. Therefore it may have been possible to save into spaces where the attacker does not have write permissions. There is no workaround. | [email protected] | 5.3 | 0.03% | 2025-12-08 | 2026-02-27 |
| CVE-2025-11240 | An open redirect vulnerability existed in KNIME Business Hub prior to version 1.16.0. An unauthenticated remote attacker could craft a link to a legitimate KNIME Business Hub installation which, when opened by the user, redirects the user to a page of the attackers choice. This might open the possibility for fishing or other similar attacks. The problem has been fixed in KNIME Business Hub 1.16.0. | [email protected] | 5.3 | 0.04% | 2025-10-02 | 2025-10-08 |
| CVE-2025-11239 | Potentially sensitive information in jobs on KNIME Business Hub prior to 1.16.0 were visible to all members of the user's team. Starting with KNIME Business Hub 1.16.0 only metadata of jobs is shown to team members. Only the creator of a job can see all information including in- and output data (if present). | [email protected] | 2.3 | 0.04% | 2025-10-02 | 2025-10-08 |
| CVE-2025-3019 | KNIME Business Hub is affected by several cross-site scripting vulnerabilities in its web pages. If a user clicks on a malicious link or opens a malicious web page, arbitrary Java Script may be executed with this user's permissions. This can lead to information loss and/or modification of existing data. The issues are caused by a bug https://github.com/Baroshem/nuxt-security/issues/610 in the widely used nuxt-security module. There are no viable workarounds therefore we strongly recommend | [email protected] | 5.3 | 0.41% | 2025-03-31 | 2025-10-08 |
| CVE-2025-2402 | A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an unauthenticated remote attacker in possession of the password to read and manipulate swapped jobs or read and manipulate in- and output data of active jobs. It is also possible to cause a denial-of-service of most functionality of KNIME Business Hub by writing large amounts of data to the object store directly. There are no viable workarounds therefore w | [email protected] | 8.8 | 0.94% | 2025-03-31 | 2025-10-08 |
| CVE-2025-2787 | KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. In the worst case a complete takeover of the Kubernetes cluster is possible. Since the affected component is only reachable from within the cluster, i.e. requires an authenticated user, the severity in the context of KNIME Business Hub is slightly lower. Besides applying the publicly known workarounds, we strongly recommend updating to one of th | [email protected] | 8.7 | 0.51% | 2025-03-26 | 2025-10-08 |
| CVE-2024-6598 | A denial-of-service attack is possible through the execution functionality of KNIME Business Hub 1.10.0 and 1.10.1. It allows an authenticated attacker with job execution privileges to execute a job that causes internal messages to pile up until there are no more resources available for processing new messages. This leads to an outage of most functionality of KNIME Business Hub. Recovery from the situation is only possible by manual administrator interaction. Please contact our support for instr | [email protected] | 7.1 | 0.88% | 2024-07-09 | 2025-10-08 |
| CVE-2023-5562 | An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platf | [email protected] | 6.1 | 0.13% | 2023-10-12 | 2024-11-21 |
| CVE-2023-3140 | Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. | [email protected] | 4.3 | 0.15% | 2023-06-07 | 2024-11-21 |
| CVE-2023-2541 | The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed. | [email protected] | 5.3 | 0.49% | 2023-06-07 | 2024-11-21 |
| CVE-2022-44749 | A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is | [email protected] | 5.5 | 0.06% | 2022-11-24 | 2024-11-21 |
| CVE-2022-44748 | A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. | [email protected] | 7.1 | 4.17% | 2022-11-24 | 2024-11-21 |
| CVE-2022-31500 | In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions. | [email protected] | 7.8 | 0.03% | 2022-06-02 | 2024-11-21 |
| CVE-2021-45097 | KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content. | [email protected] | 2.9 | 0.05% | 2021-12-16 | 2024-11-21 |
| CVE-2021-45096 | KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730. | [email protected] | 4.7 | 0.33% | 2021-12-16 | 2024-11-21 |
| CVE-2021-44726 | KNIME Server before 4.13.4 allows XSS via the old WebPortal login page. | [email protected] | 8.8 | 0.39% | 2021-12-08 | 2024-11-21 |
| CVE-2021-44725 | KNIME Server before 4.13.4 allows directory traversal in a request for a client profile. | [email protected] | 7.5 | 0.26% | 2021-12-08 | 2024-11-21 |