Main Vulnerability Database Vulnerabilities #VU15782

#VU15782 Security restrictions bypass in Apache Hive - CVE-2018-11777

Published: November 9, 2018

Vulnerability identifier: #VU15782

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11777

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Hive

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper security restrictions on local resources on HiveServer2 servers. A remote authenticated attacker can bypass security restrictions, access or modify any file if the Ranger, Sentry or SQL Standard authorizers are not in use and conduct further attacks.

Remediation

The vulnerability has been fixed in the versions 2.3.4, 3.1.1.

External links

https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb@%3Cdev.hive.apache.org%3E

#VU15782 Security restrictions bypass in Apache Hive - CVE-2018-11777

Description

Remediation

External links

Please verify you're human