Apache Hive

2025-06-08 22:18:26 +00:00 · 2022-07-16 08:06:50 +01:00 · 2022-07-16 08:06:50 +01:00 · f833117e3c
commit f833117e3c
parent 242addf498
1 changed files with 74 additions and 7 deletions
--- a/2021/34xxx/CVE-2021-34538.json
+++ b/2021/34xxx/CVE-2021-34538.json
@ -1,18 +1,85 @@
 {
    "data_type": "CVE",
    "data_format": "MITRE",
    "data_version": "4.0",
    "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-34538",
-        "ASSIGNER": "cve@mitre.org",
+        "STATE": "PUBLIC",
-        "STATE": "RESERVED"
+        "TITLE": "Apache Hive Security vulnerability in Hive with UDFs"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Apache Hive",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "Apache Hive",
                                            "version_value": "3.1.3"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Apache Software Foundation"
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "This vulnerability was discovered and reported by Hideyuki Furue."
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Apache Hive before 3.1.3 \"CREATE\" and \"DROP\" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious."
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": [
        {
            "other": "Very Important"
        }
    ],
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-306 Missing Authentication for Critical Function"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "refsource": "CONFIRM",
                "url": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354"
            }
        ]
    },
    "source": {
        "defect": [
            "HIVE-25468",
            ""
        ],
        "discovery": "UNKNOWN"
    }
 }