org.apache.hive:hive-exec 2.3.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.hive:hive-exec package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Incorrect Permission Assignment for Critical Resource org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the default creation of a credentials file with permissions set to 644 in a temporary directory. An attacker that has access to the temporary directory in the file system can read sensitive information by accessing this directory. How to fix Incorrect Permission Assignment for Critical Resource? Upgrade `org.apache.hive:hive-exec` to version 4.0.1 or higher.	[,4.0.1)
H Access Restriction Bypass org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Access Restriction Bypass in the "CREATE" and "DROP" operations due to missing authorization verification. As a result, unauthorized users can manipulate an existing UDF without having the necessary privileges, including dropping and recreating it to point at a malicious jar. How to fix Access Restriction Bypass? Upgrade `org.apache.hive:hive-exec` to version 3.1.3 or higher.	[,3.1.3)
H Access Restriction Bypass org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Access Restriction Bypass. Local resources on `HiveServer2` machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. How to fix Access Restriction Bypass? Upgrade `org.apache.hive:hive-exec` to version 2.3.4, 3.1.1 or higher.	[,2.3.4)[3.1.0,3.1.1)
H Authentication Bypass org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Authentication Bypass. The `EXPLAIN` operation does not check for necessary authorization of involved entities in a query. An unauthorized user could use `EXPLAIN` on arbitrary table or view and expose table metadata and statistics. How to fix Authentication Bypass? Upgrade `org.apache.hive:hive-exec` to version 2.3.4, 3.1.1 or higher.	[,2.3.4)[3.0.0,3.1.1)
L Arbitrary Files Access org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Arbitrary Files Access. A malicious user might use any xpath UDFs to expose the content of a file on the machine running `HiveServer2` owned by a `HiveServer2` user (usually hive) if `hive.server2.enable.doAs=false`. How to fix Arbitrary Files Access? Upgrade `org.apache.hive:hive-exec` to version 2.3.3 or higher.	[0.6.0,2.3.3)

Vulnerability

Vulnerable Version

Incorrect Permission Assignment for Critical Resource