Unauthorized File Access Vulnerability in Apache Hive
CVE-2024-29869

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Hive
Vendor
CVE Published:
28 January 2025

Summary

Apache Hive is susceptible to an improper file permissions vulnerability where it creates a credentials file in a temporary directory with default permissions set to 644. This oversight allows any unauthorized user with access to the directory to read sensitive information contained within the file. It is critical for users to upgrade to version 4.0.1 or later, which addresses this vulnerability and helps mitigate the risk of unauthorized information disclosure.

Affected Version(s)

Apache Hive 1.1.0 < 4.0.1

References

https://github.com/apache/hive
product
https://github.com/apache/hive/commit/20106e254527f7d71b2...
patch
https://issues.apache.org/jira/browse/HIVE-28134
issue-tracking

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Cosentino
.