CVE-2021-34538

Apache Hive Security vulnerability in Hive with UDFs

EPSS 1.4%CWE-306

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 jul 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Productos afectados

Apache Software Foundation · Apache Hive

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354