CVE-2018-1284

Name of the Vulnerable Software and Affected Versions Apache Hive versions 0.6.0 through 2.3.2

Description A malicious user might exploit xpath UDFs (such as xpath, xpath string, xpath boolean, xpath number, xpath double, xpath float, xpath long, xpath int, xpath short) to expose the content of a file on the machine running HiveServer2. This is possible when the file is owned by the HiveServer2 user (usually hive) and hive.server2.enable.doAs is set to false.

Recommendations For Apache Hive versions 0.6.0 through 2.3.2, consider setting hive.server2.enable.doAs to true to mitigate the risk of file exposure. Additionally, restrict access to the xpath UDFs to minimize the risk of exploitation.