org.apache.hive:hive-exec 4.0.0-alpha-1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.hive:hive-exec package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Incorrect Permission Assignment for Critical Resource org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the default creation of a credentials file with permissions set to 644 in a temporary directory. An attacker that has access to the temporary directory in the file system can read sensitive information by accessing this directory. How to fix Incorrect Permission Assignment for Critical Resource? Upgrade `org.apache.hive:hive-exec` to version 4.0.1 or higher.	[,4.0.1)
H Deserialization of Untrusted Data org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL. Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the `SerializationUtilities#deserializeObjectWithTypeInformation` method. An attacker can execute arbitrary code by sending crafted data that is deserialized. Note: This is only exploitable if the attacker is an authenticated user who has successfully established a connection to the Metastore. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.hive:hive-exec` to version 4.0.0-alpha-2 or higher.	[4.0.0-alpha-1,4.0.0-alpha-2)

Vulnerability

Vulnerable Version

Incorrect Permission Assignment for Critical Resource

org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL.

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the default creation of a credentials file with permissions set to 644 in a temporary directory. An attacker that has access to the temporary directory in the file system can read sensitive information by accessing this directory.

How to fix Incorrect Permission Assignment for Critical Resource?

Upgrade org.apache.hive:hive-exec to version 4.0.1 or higher.

[,4.0.1)

Deserialization of Untrusted Data

org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the SerializationUtilities#deserializeObjectWithTypeInformation method. An attacker can execute arbitrary code by sending crafted data that is deserialized.

Note:

This is only exploitable if the attacker is an authenticated user who has successfully established a connection to the Metastore.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.hive:hive-exec to version 4.0.0-alpha-2 or higher.

[4.0.0-alpha-1,4.0.0-alpha-2)

org.apache.hive:hive-exec@4.0.0-alpha-1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?