CVE-2021-34538

CWE-306Missing Authentication4 documents4 sources
Severity
7.5HIGH
EPSS
0.4%
top 42.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache HiveApache Hive
Timeline
PublishedJul 16
Latest updateJul 17

Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5apache_software_foundation/apache_hiveApache Hive3.1.3
NVDapache/hive< 3.1.3
Mavenorg.apache.hive:hive< 3.1.3

🔴Vulnerability Details

3
OSV
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.2022-07-17
GHSA
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.2022-07-17
CVEList
Apache Hive Security vulnerability in Hive with UDFs2022-07-16
CVE-2021-34538 (HIGH CVSS 7.5) | Apache Hive before 3.1.3 "CREATE" a | cvebase.io