CVE-2023-35701

CWE-94Code Injection4 documents4 sources
Severity
6.6MEDIUM
EPSS
0.6%
top 31.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache HiveApache Hive
Timeline
PublishedMay 3

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to specify/edit JDBC URL(s) in an endpoint relying on the Hive JDBC driver and the JDBC client process must run under a privileged user to fully exploit the vulnerability. The att

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.hive:hive-jdbc4.0.0-alpha-14.0.0
CVEListV5apache_software_foundation/apache_hive4.0.0-alpha-14.0.0
NVDapache/hive4.0.0

🔴Vulnerability Details

3
GHSA
Apache Hive Code Injection vulnerability2024-05-03
OSV
Apache Hive Code Injection vulnerability2024-05-03
CVEList
Apache Hive: Arbitrary command execution via JDBC driver2024-05-03
CVE-2023-35701 (MEDIUM CVSS 6.6) | Improper Control of Generation of C | cvebase.io