PT-2018-11430 · Apache · Apache Hive
Daniel Dai
·
Published
2018-04-05
·
Updated
2018-11-21
·
CVE-2018-1284
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Hive versions 0.6.0 through 2.3.2
Description
A malicious user might exploit xpath UDFs (such as
xpath, xpath string, xpath boolean, xpath number, xpath double, xpath float, xpath long, xpath int, xpath short) to expose the content of a file on the machine running HiveServer2. This is possible when the file is owned by the HiveServer2 user (usually hive) and hive.server2.enable.doAs is set to false.Recommendations
For Apache Hive versions 0.6.0 through 2.3.2, consider setting
hive.server2.enable.doAs to true to mitigate the risk of file exposure. Additionally, restrict access to the xpath UDFs to minimize the risk of exploitation.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Hive