GHSA-v3p8-j597-3xg8

Source

https://github.com/advisories/GHSA-v3p8-j597-3xg8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-v3p8-j597-3xg8/GHSA-v3p8-j597-3xg8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v3p8-j597-3xg8

Aliases

CVE-2021-34538

Published

2022-07-17T00:00:45Z

Modified

2023-11-08T04:06:08.301454Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.

Details

Apache Hive before 3.1.3 CREATE and DROP function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Database specific

{
    "nvd_published_at": "2022-07-16T07:15:00Z",
    "github_reviewed_at": "2022-07-21T21:37:21Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ]
}

References

Affected packages

Maven / org.apache.hive:hive

Package

Name: org.apache.hive:hive; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.3

Affected versions

0.*

0.13.0

0.13.1

0.14.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

3.*

3.0.0

3.1.0

3.1.1

3.1.2