Description

The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.

Remediation

References

http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E

http://packetstormsecurity.com/files/135836/Apache-Hive-Authorization-Bypass.html

http://www.openwall.com/lists/oss-security/2016/01/28/12

http://www.securityfocus.com/archive/1/537549/100/0/threaded

Related Vulnerabilities

CVE-2017-12610 Vulnerability in maven package org.apache.kafka:kafka_2.11

CVE-2016-10532 Vulnerability in npm package console-io

CVE-2022-39387 Vulnerability in maven package org.xwiki.contrib.oidc:oidc-authenticator

CVE-2012-5887 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-38180 Vulnerability in maven package io.ktor:ktor-client-core

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L