org.apache.hive:hive-standalone-metastore-server 4.0.0-alpha-1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.hive:hive-standalone-metastore-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H SQL Injection Affected versions of this package are vulnerable to SQL Injection via the processing of delete column statistics requests through the HMS Thrift APIs. An attacker can execute arbitrary SQL commands by sending specially crafted requests to the affected API endpoints. This is only exploitable if the attacker is a trusted or authorized user/application with direct access to the Thrift APIs, and if the `metastore.try.direct.sql` property is set to true. How to fix SQL Injection? Upgrade `org.apache.hive:hive-standalone-metastore-server` to version 4.2.0 or higher.	[,4.2.0)
H Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the `SerializationUtilities#deserializeObjectWithTypeInformation` method. An attacker can execute arbitrary code by sending crafted data that is deserialized. Note: This is only exploitable if the attacker is an authenticated user who has successfully established a connection to the Metastore. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.hive:hive-standalone-metastore-server` to version 4.0.0-alpha-2 or higher.	[4.0.0-alpha-1,4.0.0-alpha-2)

Vulnerability

Vulnerable Version

SQL Injection

Affected versions of this package are vulnerable to SQL Injection via the processing of delete column statistics requests through the HMS Thrift APIs. An attacker can execute arbitrary SQL commands by sending specially crafted requests to the affected API endpoints. This is only exploitable if the attacker is a trusted or authorized user/application with direct access to the Thrift APIs, and if the metastore.try.direct.sql property is set to true.

How to fix SQL Injection?

Upgrade org.apache.hive:hive-standalone-metastore-server to version 4.2.0 or higher.

[,4.2.0)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the SerializationUtilities#deserializeObjectWithTypeInformation method. An attacker can execute arbitrary code by sending crafted data that is deserialized.

Note:

This is only exploitable if the attacker is an authenticated user who has successfully established a connection to the Metastore.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.hive:hive-standalone-metastore-server to version 4.0.0-alpha-2 or higher.

[4.0.0-alpha-1,4.0.0-alpha-2)

org.apache.hive:hive-standalone-metastore-server@4.0.0-alpha-1 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically