Impala Security Vulnerabilities and Issues — Impala CVE List

ApacheImpala

7 matches found

CVE•added 2017/07/10 8:0 p.m.•60 views

CVE-2017-5640

CVE-2017-5640 affects Apache Impala (incubating) versions 2.7.0–2.8.0. A malicious process impersonating an Impala daemon can cause the server to skip authentication checks when Kerberos is enabled but TLS is not, by replying with COMPLETE before the SASL handshake finishes, making the client tre...

9.8CVSS9.4AI score0.01296EPSS

CVE•added 2019/11/05 7:30 p.m.•54 views

CVE-2019-10084

CVE-2019-10084 affects Apache Impala 2.7.0 to 3.2.0. An authenticated user who can observe the IDs of active queries or sessions can craft requests to interact with those sessions/queries, potentially bypassing authorization and audit controls. Root causes noted include: session/query IDs are uni...

7.5CVSS7.6AI score0.00094EPSS

CVE•added 2021/07/22 10:5 a.m.•52 views

CVE-2021-28131

CVE-2021-28131 (Impala): The vulnerability arises because a 16-byte session secret is logged, enabling an authenticated user to hijack another user’s session and execute statements with privileges not held. Affected deployments with Apache Sentry, Apache Ranger, or audit logging may face privileg...

7.5CVSS7.8AI score0.00238EPSS

CVE•added 2017/10/03 1:0 a.m.•51 views

CVE-2017-9792

CVE-2017-9792 affects Apache Impala (incubating) before 2.10.0. A user with ALTER privileges on an Impala table can bypass authorization by turning a non-external Kudu table into external mode and altering the underlying mapping to point at other Kudu tables, potentially accessing data across tab...

6.5CVSS6.5AI score0.00207EPSS

CVE•added 2017/07/10 8:0 p.m.•49 views

CVE-2017-5652

The CVE-2017-5652 entry concerns Apache Impala (incubating) versions 2.7.0–2.8.0 where one port used by the StatestoreSubscriber did not employ the secure Thrift transport when TLS was enabled. This allowed an attacker with network access to eavesdrop on plaintext data traversing that port, const...

7.5CVSS7.4AI score0.00333EPSS

CVE•added 2018/10/24 8:0 p.m.•47 views

CVE-2018-11792

CVE-2018-11792 affects Apache Impala up to version 3.0.1. The issue occurs when performing ALTER TABLE/VIEW RENAME, which requires ALTER on the old table. This can enable privilege escalation: if a user has ALTER on a table and ALL on the database, they can move the table to a database with ALL, ...

9.8CVSS9.3AI score0.00522EPSS

CVE•added 2018/10/24 8:0 p.m.•39 views

CVE-2018-11785

CVE-2018-11785 affects Apache Impala versions prior to 3.0.1 where a missing authorization check allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, resulting in incorrect query results. The connected CNVD/OSV/NVD records corroborate the lack of autho...

6.5CVSS6.3AI score0.00108EPSS