CVE-2021-40331 – org.apache.ranger:ranger-hive-plugin

Package

Manager: maven
Name: org.apache.ranger:ranger-hive-plugin
Vulnerable Version: >=2.0.0 <2.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0009 pctl0.26489

Details

Apache Ranger Hive Plugin missing permissions check An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.

Metadata

Created: 2023-05-05T09:30:15Z
Modified: 2023-05-11T20:56:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-vjr2-wpfh-5r9p/GHSA-vjr2-wpfh-5r9p.json
CWE IDs: ["CWE-732"]
Alternative ID: GHSA-vjr2-wpfh-5r9p
Finding: F039
Auto approve: 1