Description
Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.
References (3)
Core 3
Core References
Various Sources mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/hive-user/201406.mbox/%3CCABgNGzeN7E+9d=YV5yvnKA7wmSx1op_avtUjPcPtDaR6DLJM6g%40mail.gmail.com%3E
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/127091/Apache-Hive-0.13.0-Authorization-Failure.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532418/100/0/threaded
Scores
EPSS
0.0032
EPSS Percentile
55.4%
Details
CWE
CWE-284
Status
published
Products (4)
apache/hive
< 0.13.0
org.apache.hive/hive
0 - 0.13.1Maven
org.apache.hive/hive-exec
0 - 0.13.1Maven
org.apache.hive/hive-service
0 - 0.13.1Maven
Published
Nov 16, 2014
Tracked Since
Feb 18, 2026