Data Exposure Vulnerability in Apache Impala Incubating Product
CVE-2017-9792

6.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Impala
Vendor
CVE Published:
4 October 2017

Summary

In versions of Apache Impala prior to 2.10.0, a vulnerability allows a user with 'ALTER' permissions on an Impala table to compromise the data integrity of Kudu tables. By changing table properties to mark them as 'external' and altering the table mapping, malicious users can bypass authorization requirements for access to sensitive data across Kudu tables. This scenario highlights a critical flaw in privilege enforcement related to 'ALTER' commands that could lead to unauthorized data exposure. To mitigate this risk, it is essential to implement the same access controls for 'ALTER' commands as are enforced for 'CREATE' operations.

Affected Version(s)

Apache Impala 2.8.0 incubating

Apache Impala 2.9.0 incubating

References

https://issues.apache.org/jira/browse/IMPALA-5638
x_refsource_CONFIRM
http://www.securityfocus.com/bid/101173
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/74a163df0cdefcd738c8...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.