KNIME Business Hub Security Advisory: Multiple CVEs (XSS, DoS, Hard-coded Password)

Critical Vulnerability Information 1. CVE-2019-3519 - Cross-site scripting vulnerabilities in KNIME Business Hub web pages - CVSS Score: 5.3 - Affected Products: KNIME Business Hub 13.3, 13.2.4 - Description: Multiple cross-site scripting vulnerabilities exist in the web pages of KNIME Business Hub. - Solution: Upgrade to version 13.3.1 or later. 2. CVE-2019-2787 - Ingress-nginx vulnerability in KNIME Business Hub - CVSS Score: 6.0 - Affected Products: All versions of KNIME Business Hub - Description: The KNIME Business Hub is affected by the ingress-nginx CVE-2019-19174 vulnerability. - Solution: Upgrade to a newer version of KNIME Business Hub that includes a patched version of ingress-nginx. 3. CVE-2020-2402 - Hard-coded password for object store of KNIME Business Hub - CVSS Score: 6.8 - Affected Products: All versions of KNIME Business Hub - Description: A hard-coded, non-random, and identical token allows an attacker to access and manipulate data stored in the object store. - Solution: Upgrade to version 13.3.1 or later. 4. CVE-2020-4508 - Denial-of-service on KNIME Business Hub when certain jobs are executed - CVSS Score: 7.1 - Affected Products: KNIME Business Hub 13.0 and 13.0.1 - Description: A denial-of-service attack is possible through the execution functionality of KNIME Business Hub 13.0 and 13.0.1. - Solution: Upgrade to version 13.0.2 or later. 5. CVE-2021-5052 - Unsafe default allows for cross-site scripting attacks in KNIME Server and KNIME Business Hub - Base CVSS Score: 5.3 - Affected Products: KNIME Analytics Platform before 5.2.2 - Description: An unsafe default configuration in KNIME Analytics Platform before 5.2.2 allows a cross-site scripting attack. - Solution: Upgrade to version 5.2.2 or later. 6. External CVE-2018-4508 - Vulnerability in Apache Tomcat - Base CVSS Score: 9.8 - Affected Product: KNIME Server - Description: A vulnerability in the form authentication of Apache Tomcat versions below 8.0.48 has recently been disclosed. - Solution: Update to Apache Tomcat version 8.0.48 or higher. 7. CVE-2021-2641 - Sensitive information disclosure in KNIME Web Application - Base CVSS Score: 4.3 - Affected Products: KNIME Business Hub before 14.0 - Description: Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 14.0. - Solution: Upgrade to version 14.0 or later. 8. CVE-2022-47478 - Uploading workflows to KNIME Server may override arbitrary file contents - Base CVSS Score: 7.1 - Affected Products: KNIME Server 4.3.0, 4.3.4, 4.3.5 - Description: A directory traversal vulnerability in the workflow archive extraction routines of any version of KNIME Analytics Platform can result in arbitrary files being overwritten on the user's system. - Solution: Upgrade to version 4.4.0 or 4.4.3 (once they become available). 9. CVE-2022-47479 - Opening workflows in KNIME Analytics Platform from untrusted sources may execute arbitrary code - Base CVSS Score: 5.5 - Affected Products: KNIME Analytics Platform since 3.2.0 - Description: This vulnerability allows an attacker to create a KNIME workflow that, when opened by a user, can overwrite arbitrary files on the user's system. - Solution: Do not open workflows from untrusted sources. 10. CVE-2022-47480 - Windows Installer for KNIME Analytics Platform allows for privilege escalation - Base CVSS Score: 8.2 - Affected Products: KNIME Analytics Platform before 4.6.0 - Description: The installer for KNIME Analytics Platform on Windows before 4.6.0 makes the installation directory writable to the user running the installer. - Solution: Upgrade to version 4.6.0 or later.

Goal Reached Thanks to every supporter — we hit 100%!

KNIME Business Hub Security Advisory: Multiple CVEs (XSS, DoS, Hard-coded Password)