Main Vulnerability Database Vulnerabilities #VU15782

Security restrictions bypass in Apache Hive - CVE-2018-11777

Published: November 9, 2018

Vulnerability identifier: #VU15782

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11777

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Hive

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper security restrictions on local resources on HiveServer2 servers. A remote authenticated attacker can bypass security restrictions, access or modify any file if the Ranger, Sentry or SQL Standard authorizers are not in use and conduct further attacks.

How to mitigate CVE-2018-11777

The vulnerability has been fixed in the versions 2.3.4, 3.1.1.

Sources

https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb@%3Cdev.hive.apache.org%3E

Security restrictions bypass in Apache Hive - CVE-2018-11777

Detailed vulnerability description

How to mitigate CVE-2018-11777

Sources

Please verify you're human