CVE-2025-2402: Hard-coded password for object store of KNIME Business Hub
Description
A hard-coded, non-random password for the object store (minio) of KNIME Business Hub in all versions except the ones listed below allows an unauthenticated remote attacker in possession of the password to read and manipulate swapped jobs or read and manipulate in- and output data of active jobs. It is also possible to cause a denial-of-service of most functionality of KNIME Business Hub by writing large amounts of data to the object store directly.
There are no viable workarounds therefore we strongly recommend to update to one of the following versions of KNIME Business Hub:
* 1.13.2 or later
* 1.12.3 or later
* 1.11.3 or later
* 1.10.3 or later
Classification
CVE ID: CVE-2025-2402
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N/AU:Y/R:U/V:C/RE:M/U:Amber
Problem Types
CWE-259Affected Products
Vendor: KNIME
Product: KNIME Business Hub
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.13% (probability of being exploited)
EPSS Percentile: 34.3% (scored less or equal to compared to others)
EPSS Date: 2025-04-29 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2402https://www.knime.com/security/advisories#CVE-2025-2402