GHSA-gf2v-9hp6-44qg

Suggest an improvement
Source
https://github.com/advisories/GHSA-gf2v-9hp6-44qg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-gf2v-9hp6-44qg/GHSA-gf2v-9hp6-44qg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gf2v-9hp6-44qg
Aliases
Published
2019-03-14T15:40:32Z
Modified
2023-11-08T03:58:25.198532Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation
Details

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

References

Affected packages

Maven / org.apache.hive:hive

Package

Name
org.apache.hive:hive
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2

Affected versions

0.*

0.13.0
0.13.1
0.14.0

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.2.1

Maven / org.apache.hive:hive

Package

Name
org.apache.hive:hive
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.1

Affected versions

2.*

2.0.0

Maven / org.apache.hive:hive-service

Package

Name
org.apache.hive:hive-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2

Affected versions

0.*

0.8.0
0.8.1
0.9.0
0.10.0
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.2.1

Maven / org.apache.hive:hive-service

Package

Name
org.apache.hive:hive-service
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.1

Affected versions

2.*

2.0.0

Maven / org.apache.hive:hive-exec

Package

Name
org.apache.hive:hive-exec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive-exec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.2

Affected versions

0.*

0.8.0
0.8.1
0.9.0
0.10.0
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.2.1

Maven / org.apache.hive:hive-exec

Package

Name
org.apache.hive:hive-exec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive-exec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.1

Affected versions

2.*

2.0.0