Vulnerabilities > Apache > Hive > 1.2.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-07-16 | CVE-2021-34538 | Missing Authentication for Critical Function vulnerability in Apache Hive Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. | 7.5 |
2021-03-16 | CVE-2020-1926 | Information Exposure Through Discrepancy vulnerability in Apache Hive Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. | 5.9 |
2021-02-12 | CVE-2020-13949 | Resource Exhaustion vulnerability in multiple products In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | 7.5 |
2018-11-08 | CVE-2018-1314 | Missing Authorization vulnerability in Apache Hive In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. | 4.3 |
2018-11-08 | CVE-2018-11777 | Unspecified vulnerability in Apache Hive In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use. | 8.1 |
2018-04-05 | CVE-2018-1284 | Information Exposure vulnerability in Apache Hive In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false. | 3.7 |
2018-04-05 | CVE-2018-1282 | SQL Injection vulnerability in Apache Hive This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | 9.1 |
2017-05-30 | CVE-2016-3083 | Improper Certificate Validation vulnerability in Apache Hive Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). | 7.5 |
2016-01-29 | CVE-2015-7521 | Improper Authentication vulnerability in Apache Hive The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations. | 8.3 |