Arbitrary File Write Vulnerability in Apache Hive by Apache
CVE-2018-1315

3.7LOW

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 5 April 2018

Summary

The Apache Hive vulnerability allows an attacker to exploit the 'COPY FROM FTP' statement executed through the HPL/SQL extension. If a compromised FTP server is accessed, files can be written to any location on the cluster where the command is executed. This occurs due to the lack of verification in the destination path for downloaded files by the FTP client in HPL/SQL. Notably, this issue does not affect users operating through hive cli or hiveserver2, given the distinct invocation process of the HPL/SQL command line script.

Affected Version(s)

Apache Hive 2.1.0 to 2.3.2

References

https://lists.apache.org/thread.html/d5da94ef60312c01a8d2...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2018
Vulnerability Reserved
Dec 7, 2017