Vulnerability identifier: #VU15782
Vulnerability risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Hive
Server applications /
Database software
Vendor: Apache Foundation
Description
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The vulnerability exists due to improper security restrictions on local resources on HiveServer2 servers. A remote authenticated attacker can bypass security restrictions, access or modify any file if the Ranger, Sentry or SQL Standard authorizers are not in use and conduct further attacks.
Mitigation
The vulnerability has been fixed in the versions 2.3.4, 3.1.1.
Vulnerable software versions
Apache Hive: 2.3.0 - 3.1.0
External links
http://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb@%3Cdev.hive.apache.org%3E
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.