CVE-2022-41137

HIGH

Apache Hive - RCE

Title source: llm

Description

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

References (5)

Scores

CVSS v3 8.3
EPSS 0.0621
EPSS Percentile 90.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (2)

apache/hive
org.apache.hive/hive-exec < 4.0.0-alpha-2Maven

Timeline

Published Dec 05, 2024
Tracked Since Feb 18, 2026