Description
The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.
Remediation
References
http://www-01.ibm.com/support/docview.wss?uid=swg21969546
http://www.securitytracker.com/id/1034365
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E
Related Vulnerabilities
CVE-2021-21348 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2015-0250 Vulnerability in maven package org.apache.xmlgraphics:batik-dom
CVE-2020-4076 Vulnerability in maven package org.webjars.npm:electron
CVE-2022-45395 Vulnerability in maven package com.thalesgroup.jenkins-ci.plugins:cccc
CVE-2019-1003095 Vulnerability in maven package org.jenkins-ci.plugins:perfectomobile