Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12M3A4LWo1OTctM3hnOM4AAtbV
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.
Apache Hive before 3.1.3 CREATE
and DROP
function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12M3A4LWo1OTctM3hnOM4AAtbV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-v3p8-j597-3xg8, CVE-2021-34538
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-34538
- https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354
- https://github.com/advisories/GHSA-v3p8-j597-3xg8
Affected Packages
maven:org.apache.hive:hive
Dependent packages: 2Dependent repositories: 7
Downloads:
Affected Version Ranges: < 3.1.3
Fixed in: 3.1.3
All affected versions: 0.13.0, 0.13.1, 0.14.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 3.0.0, 3.1.0, 3.1.1, 3.1.2
All unaffected versions: 3.1.3, 4.0.0