CVE-2016-3083

CWE-295Improper Certificate Validation6 documents5 sources
Severity
7.5HIGH
EPSS
0.2%
top 57.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache HiveApache Hive
Timeline
PublishedMay 30
Latest updateMar 14

Description

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client wi

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

Mavenorg.apache.hive:hive2.0.02.0.1+1
Mavenorg.apache.hive:hive-exec2.0.02.0.1+1
Mavenorg.apache.hive:hive-service2.0.02.0.1+1
NVDapache/hive9 versions+8
CVEListV5apache_software_foundation/apache_hive0.11.0 - 0.14.0, 1.0.0 - 1.2.1, 2.0.0+2

🔴Vulnerability Details

3
OSV
org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation2019-03-14
GHSA
org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation2019-03-14
CVEList
CVE-2016-3083: Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes)2017-05-30

💬Community

2
Bugzilla
CVE-2016-3083 hive: Common name attribute of the certificate is not verified [fedora-all]2017-05-31
Bugzilla
CVE-2016-3083 hive: Common name attribute of the certificate is not verified2017-05-31
CVE-2016-3083 (HIGH CVSS 7.5) | Apache Hive (JDBC + HiveServer2) im | cvebase.io