Description
The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E
http://www-01.ibm.com/support/docview.wss?uid=swg21969546
http://www.securitytracker.com/id/1034365
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
Related Vulnerabilities
CVE-2023-36470 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-script
CVE-2023-31125 Vulnerability in npm package engine.io
CVE-2017-1000006 Vulnerability in npm package plotly.js
CVE-2023-49395 Vulnerability in maven package com.jfinal:jfinal
CVE-2023-50422 Vulnerability in maven package com.sap.cloud.security.xsuaa:spring-xsuaa