XXE attack in Apache Hive - CVE-2018-1284
Published: April 10, 2018 / Updated: April 10, 2018
Vulnerability identifier: #VU11626
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1284
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Hive
Apache Hive
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to conduct XXE attack on the target system.
The weakness exists due to improper processing of XML input by multiple xpath UDFs when the affected software is configured to run HiveServer2 when the hive.server2.enable.doAs parameter is set to false. A remote attacker can submit customized XML input and gain access to potentially sensitive file information.
How to mitigate CVE-2018-1284
Update to version 2.3.3.