CVE-2018-11777

In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.

Published: Nov 8, 2018
Updated: Nov 8, 2023
CVE: CVE-2018-11777
GHSA: GHSA-rrfq-g5fq-fc9c
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
apache / hive	-	2.3.3.x
apache / hive	3.0.0	3.1.0.x
org.apache.hive / hive-exec	3.0.0	3.1.1
org.apache.hive / hive-exec	-	2.3.4

http://www.securityfocus.com/bid/105886
https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb@%3Cdev.hive.apache.org%3E
https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb%40%3Cdev.hive.apache.org%3E

Vulnerability Database

289,697

CVE-2018-11777