Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

http://www-01.ibm.com/support/docview.wss?uid=swg21969546

http://www.securitytracker.com/id/1034365

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

Related Vulnerabilities

CVE-2013-6374 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2020-12725 Vulnerability in npm package redash

CVE-2023-29203 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-33942 Vulnerability in maven package com.liferay:com.liferay.asset.browser.web

CVE-2018-1000136 Vulnerability in npm package electron

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory