Unsecure Method in Apache Hive Metastore Leads to Remote Code Execution Vulnerability
CVE-2022-41137

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Hive
Vendor: CVE Published:; 5 December 2024

Summary

The Apache Hive Metastore is affected by a vulnerability that stems from its use of the unsafe method SerializationUtilities#deserializeObjectWithTypeInformation when filtering and fetching partitions. This flaw permits the deserialization of arbitrary data, which can potentially lead to Remote Code Execution (RCE). Exploitation of this vulnerability requires that the attacker is an authenticated user or client who has established a connection to the Metastore. Moreover, any code that interacts with this unsafe method may be susceptible unless it incorporates stringent prechecks on input parameters.

Affected Version(s)

Apache Hive 4.0.0-alpha-1 < 4.0.0

References

https://github.com/apache/hive

product

https://issues.apache.org/jira/browse/HIVE-26539

issue-tracking

https://github.com/apache/hive/commit/60027bb9c91a93affcf...

patch

Timeline

Vulnerability published
Dec 5, 2024
Vulnerability Reserved
Sep 20, 2022

Credit

Junjie Liao