Daniel Dai

**Name of the Vulnerable Software and Affected Versions** Apache Hive versions 0.6.0 through 2.3.2 **Description** A malicious user might exploit xpath UDFs (such as `xpath`, `xpath string`, `xpath boolean`, `xpath number`, `xpath double`, `xpath float`, `xpath long`, `xpath int`, `xpath short`) to expose the content of a file on the machine running HiveServer2. This is possible when the file is owned by the HiveServer2 user (usually `hive`) and `hive.server2.enable.doAs` is set to `false`. **Recommendations** For Apache Hive versions 0.6.0 through 2.3.2, consider setting `hive.server2.enable.doAs` to `true` to mitigate the risk of file exposure. Additionally, restrict access to the xpath UDFs to minimize the risk of exploitation.