Page 2 of 9 results (0.011 seconds)

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. Esta vulnerabilidad en el controlador JDBC de Apache Hive, de la versión 0.7.1 a la 2.3.2, permite que los argumentos cuidadosamente manipulados se empleen para omitir el escape/limpieza de argumentos que el controlador JDBC realiza en la implementación PreparedStatement. • http://www.securityfocus.com/bid/103751 https://exchange.xforce.ibmcloud.com/vulnerabilities/141253 https://lists.apache.org/thread.html/74bd2bff1827febb348dfb323986fa340d3bb97a315ab93c3ccc8299%40%3Cdev.hive.apache.org%3E • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. En Apache Hive, de la versión 0.6.0 a la 2.3.2, un usuario malicioso podría emplear cualquier UDF xpath (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) para exponer el contenido de un archivo en la máquina que ejecuta HiveServer2, propiedad de un usuario HiveServer2 (normalmente hive) si hive.server2.enable.doAs=false. • http://www.securityfocus.com/bid/103750 https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4%40%3Cdev.hive.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through. Apache Hive (JDBC + HiveServer2) implementa SSL para conexiones planas TCP y HTTP (soporta ambos modos de transporte). Mientras se comprueba el certificado del servidor durante la configuración de la conexión, el cliente Apache Hive anterior a versión 1.2.2 y versiones 2.0.x anteriores a 2.0.1, no parece estar comprobando el atributo de nombre común del certificado. • http://www.securityfocus.com/bid/98669 https://lists.apache.org/thread.html/0851bcf85635385f94cdaa008053802d92b4aab0a3075e30ed171192%40%3Cdev.hive.apache.org%3E • CWE-295: Improper Certificate Validation •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI. En Apache Hive anterior a 0.13.1., cuando se usa el modo de autorización basada en estandares SQL , no se comprueban correctamente los permisos de archivo para las declaraciones de (1) import y (2) export, permitiendo a usuarios autenticados obtener información sensible a través de peticiones URI específicamente diseñadas. • http://mail-archives.apache.org/mod_mbox/hive-user/201406.mbox/%3CCABgNGzeN7E+9d=YV5yvnKA7wmSx1op_avtUjPcPtDaR6DLJM6g%40mail.gmail.com%3E http://packetstormsecurity.com/files/127091/Apache-Hive-0.13.0-Authorization-Failure.html http://www.securityfocus.com/archive/1/532418/100/0/threaded • CWE-284: Improper Access Control •