Exposure of Sensitive Information to an Unauthorized Actor in Apache hive · CVE-2018-1284 · GitHub Advisory Database · GitHub

Exposure of Sensitive Information to an Unauthorized Actor in Apache hive

Low severity GitHub Reviewed Published Nov 21, 2018 to the GitHub Advisory Database • Updated Mar 4, 2024

Package

org.apache.hive:hive (Maven)

Affected versions

>= 0.6.0, < 2.3.3

Patched versions

2.3.3

org.apache.hive:hive-exec (Maven)

>= 0.6.0, < 2.3.3

2.3.3

org.apache.hive:hive-service (Maven)

>= 0.6.0, < 2.3.3

2.3.3

Description

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.

References

Published to the GitHub Advisory Database Nov 21, 2018

Reviewed Jun 16, 2020

Last updated Mar 4, 2024

Severity

Low

3.7

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N