EUVD-2018-0777

Malware in sbrugna...

GHSA-5GVM-HRW5-H6XF Improper Authentication in org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authenticatio...

GHSA-RRFQ-G5FQ-FC9C Improper Authentication in hive:hive-exec

In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use...

Authorization Bypass

hive-exec is vulnerable to an authorization bypass. The library does not provide an authorization fallback if the standard ranger,sql or sentry authorizer is not used, allowing a malicious user to gain unauthorized access to local resources on the HiveServer2 machine...

CVE-2018-1284

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs xpath/xpathstring/xpathboolean/xpathnumber/xpathdouble/xpathfloat/xpathlong/xpathint/xpathshort to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user usually hive if...

Design/Logic Flaw

Apache Hive JDBC + HiveServer2 implements SSL for plain TCP and HTTP connections it supports both transport modes. While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name...

CVE-2016-3083

Apache Hive JDBC + HiveServer2 implements SSL for plain TCP and HTTP connections it supports both transport modes. While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name...

CVE-2016-3083

CVE-2016-3083 affects Apache Hive JDBC/HiveServer2: SSL is used for plain TCP and HTTP, but the client may fail to verify the certificate’s common name during the SSL handshake in Hive versions before 1.2.2 and 2.0.x before 2.0.1. This can allow a server presenting a valid CA-signed cert for a di...

CVE-2015-1772

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authenticatio...

CVE-2015-1772

CVE-2015-1772 affects HiveServer2 LDAP authentication in Apache Hive (used in IBM InfoSphere BigInsights and similar products). The issue arises when LDAP authentication is configured with simple unauthenticated or anonymous binds, letting remote attackers bypass authentication via crafted LDAP r...

CVE-2015-1772

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authenticatio...

Apache Hive Authentication Vulnerability

Apache Hive is database software that facilitates querying and managing large data sets on distributed storage devices. Apache Hive versions 0.11.0-1.0.0, 1.1.0, the LDAP service is sometimes configured to allow unauthenticated bindings, and when HiveServer2 is configured to use LDAP authenticati...