Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

Remediation

References

http://www-01.ibm.com/support/docview.wss?uid=swg21969546

http://www.securitytracker.com/id/1034365

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2023-34235 Vulnerability in npm package @strapi/utils

CVE-2017-1000400 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2018-1999020 Vulnerability in maven package org.onosproject:onos-core-common

CVE-2018-1272 Vulnerability in maven package org.springframework:spring-core

CVE-2023-49381 Vulnerability in maven package com.jfinal:jfinal

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory