Описание
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
Ссылки
- Mailing ListVendor Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 3.1.3 (исключая)
cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*
EPSS
Процентиль: 63%
0.00451
Низкий
7.5 High
CVSS3
Дефекты
CWE-306
CWE-306
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.
EPSS
Процентиль: 63%
0.00451
Низкий
7.5 High
CVSS3
Дефекты
CWE-306
CWE-306