Path Traversal in Apache Hive Disclosing File Contents
CVE-2018-1284

3.7LOW

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 5 April 2018

Summary

In versions of Apache Hive ranging from 0.6.0 to 2.3.2, a vulnerability exists that permits a malicious user to exploit the XPath User Defined Functions (UDFs) to gain unauthorized access to files present on the server where HiveServer2 is running. If the configuration allows 'hive.server2.enable.doAs' to be set to false, attackers can manipulate XML inputs to reveal sensitive information from files owned by the HiveServer2 user, typically the 'hive' user. This vulnerability underscores the importance of enforcing strict configurations and access control measures in Hive deployments.

Affected Version(s)

Apache Hive 0.6.0 to 2.3.2

References

https://lists.apache.org/thread.html/29184dbce4a37be2af36...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/bid/103750

vdb-entryx_refsource_BID

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2018
Vulnerability Reserved
Dec 7, 2017