Main Vulnerability Database Vulnerabilities #VU76481

#VU76481 Missing Authentication for Critical Function in Apache Hive - CVE-2021-34538

Published: May 24, 2023

Vulnerability identifier: #VU76481

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-34538

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Hive

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to CREATE() and DROP() function operations does not check for necessary authorization of involved entities in the query. A remote unauthenticated attacker can manipulate an existing UDF to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354

#VU76481 Missing Authentication for Critical Function in Apache Hive - CVE-2021-34538

Description

Remediation

External links

Please verify you're human