Authorization Flaw in Apache Hive Exposes Metadata to Unauthorized Users
CVE-2018-1314

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 8 November 2018

Summary

In Apache Hive versions 2.3.3, 3.1.0, and earlier, there is a significant security oversight in the EXPLAIN operation that fails to validate the necessary authorization for entities involved in a query. This allows unauthorized users to perform the EXPLAIN operation on any arbitrary table or view, potentially exposing sensitive table metadata and statistical information. The lack of access control could lead to unauthorized data visibility, posing a risk to the security and confidentiality of user data.

Affected Version(s)

Apache Hive All versions of Hive including 2.3.3, 3.1.0 and earlier

References

http://www.securityfocus.com/bid/105884

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/3da47dbcbf09697387f2...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2018
Vulnerability Reserved
Dec 7, 2017