CVE-2018-1284

CWE-200 — Information Exposure CWE-20 — Improper Input Validation7 documents6 sources

Severity

3.7LOW

EPSS

0.5%

top 35.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hive Apache Software Foundation Apache Hive

Timeline

PublishedApr 5

Latest updateNov 21

Description

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages5 packages

▶Mavenorg.apache.hive:hive0.6.0 — 2.3.3

▶Mavenorg.apache.hive:hive-exec0.6.0 — 2.3.3

▶Mavenorg.apache.hive:hive-service0.6.0 — 2.3.3

▶NVDapache/hive0.6.0 — 2.3.2

▶CVEListV5apache_software_foundation/apache_hive0.6.0 to 2.3.2

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Apache hive↗2018-11-21

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Apache hive↗2018-11-21

▶

CVEList

CVE-2018-1284: In Apache Hive 0↗2018-04-05

▶

📋Vendor Advisories

Red Hat

hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML↗2018-03-07

▶

💬Community

Bugzilla

CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML [fedora-all]↗2018-04-06

▶

Bugzilla

CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML↗2018-04-06

▶