CVE-2015-1772

HIGH

IBM InfoSphere BigInsights 3.0-3.0.0.2 - Unauthenticated Authentication Bypass via LDAP Bind

Title source: llm

Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

References (4)

Core 4

Core References

Various Sources mailing-list x_refsource_mlist

http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

Vendor Advisory x_refsource_confirm

http://www-01.ibm.com/support/docview.wss?uid=swg21969546

Various Sources x_refsource_confirm

https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1034365

Scores

CVSS v3 7.3

EPSS 0.0016

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-287

Status published

Products (8)

apache/hive 1.0.0

apache/hive 1.1.0

ibm/infosphere_biginsights 3.0.0.0

ibm/infosphere_biginsights 3.0.0.1

ibm/infosphere_biginsights 3.0.0.2

org.apache.hive/hive 1.0.0 - 1.0.1Maven

org.apache.hive/hive-exec 1.0.0 - 1.0.1Maven

org.apache.hive/hive-service 1.0.0 - 1.0.1Maven

Published Dec 21, 2015

Tracked Since Feb 18, 2026