Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

http://www.securitytracker.com/id/1034365

http://www-01.ibm.com/support/docview.wss?uid=swg21969546

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

Related Vulnerabilities

CVE-2023-23623 Vulnerability in npm package electron

CVE-2019-10405 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2012-5887 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2018-1000145 Vulnerability in maven package org.jvnet.hudson.plugins:perforce

CVE-2017-1000389 Vulnerability in maven package org.jenkins-ci.plugins:plugin

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory