CVE-2025-2402
HIGHKNIME Business Hub < 1.10.3 - Unauthenticated Hard-coded Password in Object Store
Title source: llmDescription
A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an unauthenticated remote attacker in possession of the password to read and manipulate swapped jobs or read and manipulate in- and output data of active jobs. It is also possible to cause a denial-of-service of most functionality of KNIME Business Hub by writing large amounts of data to the object store directly. There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub: * 1.13.2 or later * 1.12.3 or later * 1.11.3 or later * 1.10.3 or later
References (2)
Core 2
Core References
Vendor Advisory
https://www.knime.com/security/advisories#CVE-2025-2402
Third Party Advisory
https://github.com/advisories/GHSA-v5p7-3387-gpmg
Scores
CVSS v3
8.6
EPSS
0.0034
EPSS Percentile
26.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-259
Status
published
Products (1)
knime/business_hub
< 1.10.3
Published
Mar 31, 2025
Tracked Since
Feb 18, 2026