CVE-2018-11777

In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.

CVSS v3 8.1 HIGH
CVSS v2.0 5.5 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:N

Exploitability : 8.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/105886	Third Party Advisory VDB Entry
https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb%40%3Cdev.hive.apache.org%3E

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:hive::::::::
	cpe:2.3:a:apache:hive::::::::

History

No history.

Information

Published : 2018-11-08 14:29

Updated : 2024-02-04 20:03

NVD link : CVE-2018-11777

Mitre link : CVE-2018-11777

CVE.ORG link : CVE-2018-11777

JSON object : View

Products Affected

apache

hive

CWE

NVD-CWE-noinfo

{"id": "CVE-2018-11777", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2018-11-08T14:29:00.197", "references": [{"url": "http://www.securityfocus.com/bid/105886", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/963c8e2516405c9b532b4add16c03b2c5db621e0c83e80f45049cbbb%40%3Cdev.hive.apache.org%3E", "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use."}, {"lang": "es", "value": "En Apache Hive en sus versiones 2.3.3, 3.1.0 y anteriores, los recursos locales de las m\u00e1quinas HiveServer2 no est\u00e1n protegidos adecuadamente contra usuarios maliciosos si no se est\u00e1 utilizando ranger, sentry o sql standard authorizer."}], "lastModified": "2023-11-07T02:51:46.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99DDFB6E-9EF9-4057-A755-62BFD92FBC16", "versionEndIncluding": "2.3.3"}, {"criteria": "cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74E0A78C-9403-4F6E-B733-E3A26F07124B", "versionEndIncluding": "3.1.0", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}