CVE-2021-34538

HIGH

Apache Hive < 3.1.3 - Unauthenticated UDF Manipulation via CREATE and DROP Operations

Title source: llm

Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

References (1)

Core 1

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354

Scores

CVSS v3 7.5

EPSS 0.0045

EPSS Percentile 63.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-306

Status published

Products (2)

apache/hive < 3.1.3

org.apache.hive/hive 0 - 3.1.3Maven

Published Jul 16, 2022

Tracked Since Feb 18, 2026