Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Remediation

References

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354

Related Vulnerabilities

CVE-2022-36893 Vulnerability in maven package org.jenkins-ci.plugins:rpmsign-plugin

CVE-2019-17570 Vulnerability in maven package org.apache.xmlrpc:xmlrpc-client

CVE-2022-36915 Vulnerability in maven package org.jenkins-ci.plugins:android-signing

CVE-2023-32697 Vulnerability in maven package org.xerial:sqlite-jdbc

CVE-2023-24432 Vulnerability in maven package io.jenkins.plugins:macstadium-orka

Severity

High

Classification

CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory