CVE-2021-34538 – org.apache.hive:hive

Package

Manager: maven
Name: org.apache.hive:hive
Vulnerable Version: >=0 <3.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00284 pctl0.51419

Details

Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization. Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Metadata

Created: 2022-07-17T00:00:45Z
Modified: 2022-07-22T16:28:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-v3p8-j597-3xg8/GHSA-v3p8-j597-3xg8.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-v3p8-j597-3xg8
Finding: F006
Auto approve: 1