CVE-2022-41137

CWE-502Deserialization of Untrusted Data5 documents5 sources
Severity
8.3HIGH
EPSS
6.2%
top 9.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache HiveApache Hive
Timeline
PublishedDec 5

Description

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable un

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:HExploitability: 2.8 | Impact: 5.5

Affected Packages3 packages

Mavenorg.apache.hive:hive-exec4.0.0-alpha-14.0.0-alpha-2
CVEListV5apache_software_foundation/apache_hive4.0.0-alpha-14.0.0
NVDapache/hive4.0.0

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore2024-12-05
GHSA
Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore2024-12-05
OSV
Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore2024-12-05

📋Vendor Advisories

1
Red Hat
hive-metastore: org.apache.hive:hive-metastore: Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore2024-12-05
CVE-2022-41137 (HIGH CVSS 8.3) | Apache Hive Metastore (HMS) uses Se | cvebase.io