Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

http://www-01.ibm.com/support/docview.wss?uid=swg21969546

http://www.securitytracker.com/id/1034365

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

Related Vulnerabilities

CVE-2023-33948 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2023-24456 Vulnerability in maven package org.jenkins-ci.plugins:keycloak

CVE-2011-0013 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2022-38723 Vulnerability in maven package io.gravitee.apim.rest.api:gravitee-apim-rest-api-service

CVE-2018-5158 Vulnerability in maven package org.webjars.bower:pdfjs-dist

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory