Description

The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.

Remediation

References

http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E

http://packetstormsecurity.com/files/135836/Apache-Hive-Authorization-Bypass.html

http://www.openwall.com/lists/oss-security/2016/01/28/12

http://www.securityfocus.com/archive/1/537549/100/0/threaded

Related Vulnerabilities

CVE-2013-3060 Vulnerability in maven package org.apache.activemq:activemq-core

CVE-2018-1999045 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2014-3623 Vulnerability in maven package org.apache.ws.security:wss4j

CVE-2019-10157 Vulnerability in npm package keycloak-connect

CVE-2021-26074 Vulnerability in maven package com.atlassian.connect:atlassian-connect-spring-boot-starter

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L