Description

The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.

Remediation

References

http://mail-archives.apache.org/mod_mbox/hive-user/201601.mbox/%3C20160128205008.2154F185EB%40minotaur.apache.org%3E

http://packetstormsecurity.com/files/135836/Apache-Hive-Authorization-Bypass.html

http://www.openwall.com/lists/oss-security/2016/01/28/12

http://www.securityfocus.com/archive/1/537549/100/0/threaded

Related Vulnerabilities

CVE-2012-5633 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2023-1784 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-parent

CVE-2017-2604 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-12610 Vulnerability in maven package org.apache.kafka:kafka_2.10

CVE-2012-5886 Vulnerability in maven package tomcat:catalina

Severity

Critical

Classification

CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L