Vulnerabilities > Apache > Hive
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-16 | CVE-2021-34538 | Missing Authentication for Critical Function vulnerability in Apache Hive Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. | 7.5 |
| 2021-03-16 | CVE-2020-1926 | Information Exposure Through Discrepancy vulnerability in Apache Hive Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. | 5.9 |
| 2021-02-12 | CVE-2020-13949 | Resource Exhaustion vulnerability in multiple products In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | 7.5 |
| 2020-05-21 | CVE-2018-21234 | Deserialization of Untrusted Data vulnerability in multiple products Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. | 9.8 |
| 2018-11-08 | CVE-2018-1314 | Missing Authorization vulnerability in Apache Hive In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. | 4.3 |
| 2018-11-08 | CVE-2018-11777 | Unspecified vulnerability in Apache Hive In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. | 8.1 |
| 2018-04-05 | CVE-2018-1315 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Hive In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. | 3.7 |
| 2018-04-05 | CVE-2018-1284 | Information Exposure vulnerability in Apache Hive In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. | 3.7 |
| 2018-04-05 | CVE-2018-1282 | SQL Injection vulnerability in Apache Hive This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | 9.1 |
| 2017-11-01 | CVE-2017-12625 | Information Exposure vulnerability in Apache Hive Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. | 4.3 |