SQL Injection Vulnerability in Apache Hive JDBC Driver
CVE-2018-1282

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 5 April 2018

What is CVE-2018-1282?

The vulnerability present in the Apache Hive JDBC driver, ranging from versions 0.7.1 to 2.3.2, allows attackers to execute SQL injection attacks. This occurs when input parameters are not properly sanitized, thereby permitting crafted arguments to bypass the JDBC driver's argument escaping mechanisms in the PreparedStatement implementation. As a result, malicious users can manipulate database queries, posing significant security risks to applications dependent on this driver.

Affected Version(s)

Apache Hive 0.7.1 to 2.3.2

References

http://www.securityfocus.com/bid/103751

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/74bd2bff1827febb348d...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2018
Vulnerability Reserved
Dec 7, 2017