CVE-2014-0228

Apache Hive <0.13.1 - Info Disclosure

Title source: llm

Description

Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.

References (3)

[Various Sources] http://mail-archives.apache.org/mod_mbox/hive-user/201406.mbox/%3CCABgNGzeN7E+9d=YV5yvnKA7wmSx1op_avtUjPcPtDaR6DLJM6g%40mail.gmail.com%3E

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/127091/Apache-Hive-0.13.0-Authorization-Failure.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/532418/100/0/threaded

Scores

EPSS 0.0032

EPSS Percentile 54.8%

Classification

CWE

CWE-284

Status draft

Affected Products (4)

apache/hive < 0.13.0

org.apache.hive/hive < 0.13.1Maven

org.apache.hive/hive-exec < 0.13.1Maven

org.apache.hive/hive-service < 0.13.1Maven

Timeline

Published Nov 16, 2014

Tracked Since Feb 18, 2026