GitHub Advisory DatabaseGHSA-VJR2-WPFH-5R9PApache Ranger Hive Plugin missing permissions check
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
30.2%
An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled
This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.ranger:ranger-hive-plugin | lt | 2.4.0 |
References
github.com/advisories/GHSA-vjr2-wpfh-5r9p
github.com/apache/ranger/commit/7dec3015ec82b69ba8f724410f12dfce2480cccd
github.com/apache/ranger/commit/9115a20d524ba9173ce5db3e270c385d58d8aeab
issues.apache.org/jira/browse/RANGER-3357
issues.apache.org/jira/browse/RANGER-3474
lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn
nvd.nist.gov/vuln/detail/CVE-2021-40331
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
30.2%