CVE-2018-1282

CWE-89 — SQL Injection9 documents7 sources

Severity

9.1CRITICAL

EPSS

0.7%

top 26.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hive Apache Software Foundation Apache Hive

Timeline

PublishedApr 5

Latest updateJul 15

Description

This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.hive:hive-jdbc0.7.1 — 2.3.3

▶NVDapache/hive0.7.1 — 2.3.2

▶CVEListV5apache_software_foundation/apache_hive0.7.1 to 2.3.2

🔴Vulnerability Details

GHSA

SQL Injection in hive-jdbc↗2018-11-21

▶

OSV

SQL Injection in hive-jdbc↗2018-11-21

▶

CVEList

CVE-2018-1282: This vulnerability in Apache Hive JDBC driver 0↗2018-04-05

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Hive) — CVE-2018-1282↗2023-07-15

▶

Red Hat

hive: Improper input validation in jdbc/HivePreparedStatement.java allows for SQL injection↗2018-02-23

▶

💬Community

Bugzilla

CVE-2018-1273 spring-data-commons: Improper neutralization of special elements allow remote attackers to execute code via crafted requests↗2018-04-11

▶

Bugzilla

CVE-2018-1282 hive: Improper input validation in jdbc/HivePreparedStatement.java allows for SQL injection↗2018-04-06

▶

Bugzilla

CVE-2018-1282 hive: Improper input validation in jdbc/HivePreparedStatement.java allows for SQL injection [fedora-all]↗2018-04-06

▶