Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

http://www.securitytracker.com/id/1034365

http://www-01.ibm.com/support/docview.wss?uid=swg21969546

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

Related Vulnerabilities

CVE-2019-10302 Vulnerability in maven package org.jenkins-ci.plugins:jira-ext

CVE-2016-8735 Vulnerability in maven package org.apache.tomcat:tomcat-catalina-jmx-remote

CVE-2023-28676 Vulnerability in maven package org.jenkins-ci.plugins:convert-to-pipeline

CVE-2017-15684 Vulnerability in maven package org.craftercms:crafter-studio

CVE-2017-15697 Vulnerability in maven package org.apache.nifi:nifi-jetty

Severity

High

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory