Security Bulletin: SQL Injection Vulnerability in Apache Hive Metastore Server Thrift APIs, affects watsonx.data

Summary Apache Hive versions 4.1.0 before 4.2.0 are vulnerable to SQL injection in Hive Metastore Server when handling delete column statistics via Thrift APIs. Exploitation is limited to authorized users with API access. Upgrading to 4.2.0 or disabling direct SQL metastore.try.direct.sql=false...

CVE-2025-62728

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the processing of delete column statistics requests through the HMS Thrift APIs. An attacker can execute arbitrary SQL commands by sending specially crafted requests to the affected API endpoints. This is only...

org.apache.hive.hcatalog:hive-hcatalog-core (=4.1.0), org.apache.hive.hcatalog:hive-hcatalog-pig-adapter (=4.1.0) +10 more potentially affected by CVE-2025-62728 via org.apache.hive:hive-metastore (=4.1.0)

org.apache.hive:hive-metastore MAVEN version =4.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hive:hive-metastore and may be impacted: - org.apache.hive.hcatalog:hive-hcatalog-core =4.1.0 -...

GHSA-932V-X9X2-VQ29 Hive Metastore Server is vulnerable to SQL Injection

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

Hive Metastore Server is vulnerable to SQL Injection

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

CVE-2025-62728

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

CVE-2025-62728

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

EUVD-2025-199715

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

CVE-2025-62728 Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

CVE-2025-62728 Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs

SQL injection vulnerability in Hive Metastore Server HMS when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is...

PT-2025-48132

Name of the Vulnerable Software and Affected Versions Apache Hive versions 4.1.0 through 4.2.0 Description A SQL injection issue exists in the Hive Metastore Server HMS when handling delete column statistics requests through the Thrift APIs. This issue is exploitable only by authorized users or...

GHSA-6HQR-C69M-R76Q Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore

Apache Hive Metastore HMS uses SerializationUtilitiesdeserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution RCE since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be...

CVE-2022-41137

Apache Hive Metastore HMS uses SerializationUtilitiesdeserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution RCE since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be...

PT-2024-11639 · Apache · Apache Hive Metastore

Name of the Vulnerable Software and Affected Versions: Apache Hive Metastore HMS affected versions not specified Description: The issue concerns the use of the SerializationUtilitiesdeserializeObjectWithTypeInformation method when filtering and fetching partitions, which is unsafe and can lead to...

Improper Privilege Management

Snowflake Hive MetaStore Connector is vulnerable to Improper Privilege Management. The vulnerability is caused due to improper content validation within the addsnowflakehivemetastoreconnectorscriptaction.sh script, allowing a malicious actor to replace the valid content with malicious code,...

Snowflake Hive metastore connector security vulnerability

Snowflake Hive metastore connector is a tool or component of Snowflake, Inc. A security vulnerability exists in Snowflake Hive metastore connector. An attacker can exploit the vulnerability to elevate privileges...