Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgzcjMtYzc5dy1mNndj
High severity vulnerability that affects org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
Permalink: https://github.com/advisories/GHSA-83r3-c79w-f6wcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTgzcjMtYzc5dy1mNndj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
CVSS Score: 8.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Identifiers: GHSA-83r3-c79w-f6wc, CVE-2015-7521
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7521
- https://github.com/advisories/GHSA-83r3-c79w-f6wc
- http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E
- http://packetstormsecurity.com/files/135836/Apache-Hive-Authorization-Bypass.html
- http://www.openwall.com/lists/oss-security/2016/01/28/12
- http://www.securityfocus.com/archive/1/537549/100/0/threaded
Affected Packages
maven:org.apache.hive:hive-service
Dependent packages: 150Dependent repositories: 962
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.2.2
Fixed in: 1.2.2
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1
All unaffected versions: 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0
maven:org.apache.hive:hive-exec
Dependent packages: 428Dependent repositories: 3,002
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.2.2
Fixed in: 1.2.2
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1
All unaffected versions: 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0
maven:org.apache.hive:hive
Dependent packages: 2Dependent repositories: 7
Downloads:
Affected Version Ranges: >= 1.0.0, < 1.2.2
Fixed in: 1.2.2
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1
All unaffected versions: 0.13.0, 0.13.1, 0.14.0, 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0