CVE-2015-1772

HIGH

IBM Infosphere Biginsights < 1.0.1 - Authentication Bypass

Title source: rule

Description

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

References (4)

[Various Sources] http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q%40mail.gmail.com%3E

[Vendor Advisory] http://www-01.ibm.com/support/docview.wss?uid=swg21969546

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1034365

[Various Sources] https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html

Scores

CVSS v3 7.3

EPSS 0.0016

EPSS Percentile 37.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-287

Status draft

Affected Products (8)

ibm/infosphere_biginsights

ibm/infosphere_biginsights

ibm/infosphere_biginsights

apache/hive

apache/hive

org.apache.hive/hive < 1.0.1Maven

org.apache.hive/hive-exec < 1.0.1Maven

org.apache.hive/hive-service < 1.0.1Maven

Timeline

Published Dec 21, 2015

Tracked Since Feb 18, 2026