Apache Hive Authorization Flaw Allows Unauthorized Data Access
CVE-2014-0228

Currently unrated

Key Information:

Vendor: Apache
Status: Hive
Vendor: CVE Published:; 16 November 2014

Summary

Apache Hive, a popular data warehousing tool built on top of Hadoop, is subject to a critical authorization flaw found in versions before 0.13.1. In SQL standards-based authorization mode, the system fails to accurately enforce file permissions for import and export actions. This oversight enables remote authenticated users to exploit the vulnerability by crafting specific URIs, potentially gaining unauthorized access to sensitive information. Organizations utilizing affected versions of Apache Hive must address this vulnerability promptly to secure their data and prevent unauthorized information disclosures.

References

http://mail-archives.apache.org/mod_mbox/hive-user/201406...

mailing-listx_refsource_MLIST

http://packetstormsecurity.com/files/127091/Apache-Hive-0...

x_refsource_MISC

http://www.securityfocus.com/archive/1/532418/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Nov 16, 2014
Vulnerability Reserved
Dec 3, 2013