Improper Access Control Affecting org.apache.hive:hive-exec package, versions [0.8.0, 0.13.1)


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.06% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Access Control vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEHIVE-474416
  • published5 Apr 2015
  • disclosed16 Nov 2014
  • creditThejas Nair of Hortonworks

Introduced: 16 Nov 2014

CVE-2014-0228  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade org.apache.hive:hive-exec to version 0.13.1 or higher.

Overview

org.apache.hive:hive-exec is a package for reading, writing, and managing large datasets residing in distributed storage using SQL.

Affected versions of this package are vulnerable to Improper Access Control. When in SQL standards based authorization mode, the package does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.

CVSS Scores

version 3.1