CVE-2022-41137
Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2022-09-20 CVE Reserved
- 2024-12-05 CVE Published
- 2024-12-05 CVE Updated
- 2024-12-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/apache/hive | Product | |
| https://issues.apache.org/jira/browse/HIVE-26539 | Issue Tracking | |
| http://www.openwall.com/lists/oss-security/2024/12/04/2 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9 | 2024-12-05 |
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/jwtr3d9yovf2wo0qlxvkhoxnwxxyzgts | 2024-12-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Hive Search vendor "Apache Software Foundation" for product "Apache Hive" | >= 4.0.0-alpha-1 < 4.0.0 Search vendor "Apache Software Foundation" for product "Apache Hive" and version " >= 4.0.0-alpha-1 < 4.0.0" | en |
Affected
| ||||||