CVE-2015-1772

CWE-287 — Improper Authentication7 documents6 sources

Severity

7.3HIGH

EPSS

0.2%

top 62.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hive IBM Infosphere Biginsights

Timeline

PublishedDec 21

Latest updateMar 14

Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages5 packages

▶Mavenorg.apache.hive:hive1.0.0 — 1.0.1+1

▶Mavenorg.apache.hive:hive-exec1.0.0 — 1.0.1+1

▶Mavenorg.apache.hive:hive-service1.0.0 — 1.0.1+1

▶NVDapache/hive1.0.0, 1.1.0+1

▶NVDibm/infosphere_biginsights3.0.0.0, 3.0.0.1, 3.0.0.2+2

🔴Vulnerability Details

OSV

Improper Authentication in org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service↗2019-03-14

▶

GHSA

Improper Authentication in org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service↗2019-03-14

▶

CVEList

CVE-2015-1772: The LDAP implementation in HiveServer2 in Apache Hive before 1↗2015-12-21

▶

📋Vendor Advisories

Red Hat

Hive: authentication vulnerability in HiveServer2↗2015-05-21

▶

💬Community

Bugzilla

CVE-2015-1772 Apache Hive: authentication vulnerability in HiveServer2↗2015-12-23

▶

Bugzilla

CVE-2015-1772 Apache Hive: authentication vulnerability in HiveServer2 [fedora-all]↗2015-12-23

▶