Authorization Bypass in Apache Hive by Apache
CVE-2015-7521

8.3HIGH

Key Information:

Vendor
Apache
Status
Hive
Vendor
CVE Published:
29 January 2016

Summary

An issue within the authorization framework of Apache Hive versions 1.0.0 to 1.2.1 allows unauthorized users to manipulate table access controls. Specifically, attackers can bypass intended restrictions meant to govern access rights to parent tables through certain, unspecified operations at the partition level. This vulnerability raises significant concerns regarding data security and access management in clusters secured by Ranger and SqlStdHiveAuthorization.

References

http://www.openwall.com/lists/oss-security/2016/01/28/12
mailing-listx_refsource_MLIST
http://www.securityfocus.com/archive/1/537549/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/135836/Apache-Hive-A...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.