Lucene search

Veracode Vulnerability DatabaseVERACODE:46743

HistoryMay 06, 2024 - 4:26 a.m.

Code Injection

2024-05-0604:26:45

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

apache hive

code injection

vulnerability

openbrowserwindow

method

authenticated attacker

execute commands

malicious urls

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.7%

JSON

Apache Hive is vulnerable to Code Injection. The vulnerability is caused by improper sanitization or validation of user-supplied URLs in the openBrowserWindow method within HiveJdbcBrowserClient.java, which allows an authenticated attacker to submit a malicious URL which results in command injection.

CPENameOperatorVersion
hive jdbcle4.0.0-beta-1
hive jdbcle4.0.0-beta-1

CPE	Name	Operator	Version
	hive jdbc	le	4.0.0-beta-1
	hive jdbc	le	4.0.0-beta-1

References

www.openwall.com/lists/oss-security/2024/05/03/3

github.com/advisories/GHSA-vpw3-3prf-3974

github.com/apache/hive/commit/7abeb1df463cc389f668172e7cf3bb772799858a

lists.apache.org/thread/7zcv6l63spl4r66xwz5jv9rtrg2opx81