apache-airflow-providers-apache-hive 2.2.0rc2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the apache-airflow-providers-apache-hive package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Input Validation Affected versions of this package are vulnerable to Improper Input Validation via the `proxy_user` value, which allows injection of a semicolon. How to fix Improper Input Validation? Upgrade `apache-airflow-providers-apache-hive` to version 6.1.2 or higher.	[,6.1.2)
H Remote Code Execution (RCE) Affected versions of this package are vulnerable to Remote Code Execution (RCE) by bypassing the security check on the beeline `principal` parameter passed to the `_prepare_cli_cmd()` function. Attackers with permission to modify the connection details can trigger code execution. How to fix Remote Code Execution (RCE)? Upgrade `apache-airflow-providers-apache-hive` to version 6.1.1rc1 or higher.	[,6.1.1rc1)
H Arbitrary Code Injection Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper control of generation of code. How to fix Arbitrary Code Injection? Upgrade `apache-airflow-providers-apache-hive` to version 6.0.0 or higher.	[,6.0.0)
H Improper Input Validation Affected versions of this package are vulnerable to Improper Input Validation such that the parameters for Hive when beeline is used are not validated. How to fix Improper Input Validation? Upgrade `apache-airflow-providers-apache-hive` to version 5.1.3 or higher.	[,5.1.3)
C Command Injection Affected versions of this package are vulnerable to Command Injection via `hive_cli_params`, due to insufficient sanitization of user input. How to fix Command Injection? Upgrade `apache-airflow-providers-apache-hive` to version 5.0.0 or higher.	[,5.0.0)
H OS Command Injection Affected versions of this package are vulnerable to OS Command Injection which allows an attacker to execute arbitrary commands in the task execution context, without write access to DAG files. How to fix OS Command Injection? Upgrade `apache-airflow-providers-apache-hive` to version 4.1.0 or higher.	[,4.1.0)

Vulnerability

Vulnerable Version

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation via the proxy_user value, which allows injection of a semicolon.

How to fix Improper Input Validation?

Upgrade apache-airflow-providers-apache-hive to version 6.1.2 or higher.

[,6.1.2)

Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE) by bypassing the security check on the beeline principal parameter passed to the _prepare_cli_cmd() function. Attackers with permission to modify the connection details can trigger code execution.

How to fix Remote Code Execution (RCE)?

Upgrade apache-airflow-providers-apache-hive to version 6.1.1rc1 or higher.

[,6.1.1rc1)

Arbitrary Code Injection

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper control of generation of code.

How to fix Arbitrary Code Injection?

Upgrade apache-airflow-providers-apache-hive to version 6.0.0 or higher.

[,6.0.0)

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation such that the parameters for Hive when beeline is used are not validated.

How to fix Improper Input Validation?

Upgrade apache-airflow-providers-apache-hive to version 5.1.3 or higher.

[,5.1.3)

Command Injection

Affected versions of this package are vulnerable to Command Injection via hive_cli_params, due to insufficient sanitization of user input.

How to fix Command Injection?

Upgrade apache-airflow-providers-apache-hive to version 5.0.0 or higher.

[,5.0.0)

OS Command Injection

Affected versions of this package are vulnerable to OS Command Injection which allows an attacker to execute arbitrary commands in the task execution context, without write access to DAG files.

How to fix OS Command Injection?

Upgrade apache-airflow-providers-apache-hive to version 4.1.0 or higher.

[,4.1.0)

apache-airflow-providers-apache-hive@2.2.0rc2 vulnerabilities

Provider package apache-airflow-providers-apache-hive for Apache Airflow

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?