org.apache.hive:hive-service@1.0.1 vulnerabilities

  • latest version

    4.0.1

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    3 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.hive:hive-service package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Timing Attack

    org.apache.hive:hive-service is a package for reading, writing, and managing large datasets residing in distributed storage using SQL.

    Affected versions of this package are vulnerable to Timing Attack. The cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another user's cookie signature.

    How to fix Timing Attack?

    Upgrade org.apache.hive:hive-service to version 2.3.8 or higher.

    [,2.3.8)
    • M
    Cross-site Scripting (XSS)

    org.apache.hive:hive-service is a package for reading, writing, and managing large datasets residing in distributed storage using SQL.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of the loggerName parameter. An attacker could input malicious scripts through the affected parameter.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.apache.hive:hive-service to version 4.0.0-alpha-1 or higher.

    [0,4.0.0-alpha-1)
    • H
    Access Restriction Bypass

    Affected versions org.apache.hive:hive-service package are vulnerable to Access Restriction Bypass. Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

    How to fix Access Restriction Bypass?

    Upgrade org.apache.hive:hive-service to version 1.2.2, 2.0.1 or higher.

    [,1.2.2)[2.0.0,2.0.1)