org.apache.hive:hive-exec 0.8.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.hive:hive-exec package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Access Restriction Bypass org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Access Restriction Bypass in the "CREATE" and "DROP" operations due to missing authorization verification. As a result, unauthorized users can manipulate an existing UDF without having the necessary privileges, including dropping and recreating it to point at a malicious jar. How to fix Access Restriction Bypass? Upgrade `org.apache.hive:hive-exec` to version 3.1.3 or higher.	[,3.1.3)
H Authentication Bypass org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Authentication Bypass. The `EXPLAIN` operation does not check for necessary authorization of involved entities in a query. An unauthorized user could use `EXPLAIN` on arbitrary table or view and expose table metadata and statistics. How to fix Authentication Bypass? Upgrade `org.apache.hive:hive-exec` to version 2.3.4, 3.1.1 or higher.	[,2.3.4)[3.0.0,3.1.1)
H Access Restriction Bypass org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Access Restriction Bypass. Local resources on `HiveServer2` machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. How to fix Access Restriction Bypass? Upgrade `org.apache.hive:hive-exec` to version 2.3.4, 3.1.1 or higher.	[,2.3.4)[3.1.0,3.1.1)
L Arbitrary Files Access org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Arbitrary Files Access. A malicious user might use any xpath UDFs to expose the content of a file on the machine running `HiveServer2` owned by a `HiveServer2` user (usually hive) if `hive.server2.enable.doAs=false`. How to fix Arbitrary Files Access? Upgrade `org.apache.hive:hive-exec` to version 2.3.3 or higher.	[0.6.0,2.3.3)
L Improper Access Control org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Improper Access Control. When in SQL standards based authorization mode, the package does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI. How to fix Improper Access Control? Upgrade `org.apache.hive:hive-exec` to version 0.13.1 or higher.	[0.8.0,0.13.1)

Vulnerability

Vulnerable Version

Access Restriction Bypass