CVE-2018-1314

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUM

EPSS

0.4%

top 40.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Hive Apache Software Foundation Apache Hive

Timeline

PublishedNov 8

Latest updateNov 21

Description

In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.apache.hive:hive-jdbc3.0.0 — 3.1.1+1

▶NVDapache/hive3.0.0 — 3.1.0+1

▶CVEListV5apache_software_foundation/apache_hiveAll versions of Hive including 2.3.3, 3.1.0 and earlier

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.hive:hive-jdbc↗2018-11-21

▶

OSV

Moderate severity vulnerability that affects org.apache.hive:hive-jdbc↗2018-11-21

▶

CVEList

CVE-2018-1314: In Apache Hive 2↗2018-11-08

▶