CVE-2021-34538

Apache Hive Security vulnerability in Hive with UDFs

EPSS 1.4%CWE-306

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Jul 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Affected products

Apache Software Foundation · Apache Hive

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354