Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-34538 Vulnerability in maven package org.apache.hive:hive

Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Remediation

References

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354

Related Vulnerabilities

CVE-2019-10410 Vulnerability in maven package org.jenkins-ci.plugins:log-parser

CVE-2020-17518 Vulnerability in maven package org.apache.flink:flink-runtime_2.11

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk18on

CVE-2023-35147 Vulnerability in maven package org.jenkins-ci.plugins:aws-codecommit-trigger

CVE-2023-5217 Vulnerability in npm package electron

Severity

High

Classification

CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Vendor Advisory