Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Remediation

References

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354

Related Vulnerabilities

CVE-2022-34813 Vulnerability in maven package org.jenkins-ci.plugins:xpath-config-viewer

CVE-2022-34199 Vulnerability in maven package com.convertigo.jenkins.plugins:convertigo-mobile-platform

CVE-2022-31160 Vulnerability in maven package org.webjars.npm:jquery-ui

CVE-2022-36910 Vulnerability in maven package org.jenkins-ci.plugins:lucene-search

CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master

Severity

High

Classification

CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory