Access Restriction Bypass

Affecting org.apache.hive:hive-exec artifact, versions [,2.3.4), [3.1.0, 3.1.1)

high severity

Overview

org.apache.hive:hive-exec is a data warehouse software facilitates reading, writing, and managing large datasets residing in distributed storage using SQL.

Affected versions of this package are vulnerable to Access Restriction Bypass. Local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.

Remediation

Upgrade org.apache.hive:hive-exec to versions 2.3.4, 3.1.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Mithun Radhakrishna
CVE
CVE-2018-11777
CWE
CWE-284
Snyk ID
SNYK-JAVA-ORGAPACHEHIVE-72580
Disclosed
08 Nov, 2018
Published
12 Nov, 2018