GHSA-v3p8-j597-3xg8

Suggest an improvement
Source
https://github.com/advisories/GHSA-v3p8-j597-3xg8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-v3p8-j597-3xg8/GHSA-v3p8-j597-3xg8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v3p8-j597-3xg8
Aliases
Published
2022-07-17T00:00:45Z
Modified
2023-11-08T04:06:08.301454Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.
Details

Apache Hive before 3.1.3 CREATE and DROP function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

References

Affected packages

Maven / org.apache.hive:hive

Package

Name
org.apache.hive:hive
View open source insights on deps.dev
Purl
pkg:maven/org.apache.hive/hive

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.3

Affected versions

0.*

0.13.0
0.13.1
0.14.0

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9

3.*

3.0.0
3.1.0
3.1.1
3.1.2