PT-2016-3802 · Apache · Apache Hive

Olaf Flebbe

Published

2016-01-29

Updated

2018-11-21

CVE-2015-7521

CVSS v3.1

8.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Apache Hive versions 1.0.0 through 1.2.1

Description The issue concerns the authorization framework, allowing attackers to bypass intended access restrictions on parent tables via partition-level operations, in clusters protected by Ranger and SqlStdHiveAuthorization.

Recommendations For Apache Hive versions 1.0.0 through 1.2.1, consider restricting access to partition-level operations until a fix is available. As a temporary workaround, review and tighten the authorization settings in Ranger and SqlStdHiveAuthorization to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2015-7521

GHSA-83R3-C79W-F6WC

Affected Products

Apache Hive

PT-2016-3802 · Apache · Apache Hive

CVE-2015-7521

Weakness Enumeration

Related Identifiers

Affected Products

References · 7