CVE-2021-34538

Missing Authentication for Critical Function in maven/org.apache.hive/hive

Identifiers

CVE-2021-34538

Package Slug

maven/org.apache.hive/hive

Vulnerability

Missing Authentication for Critical Function

Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Affected Versions

All versions before 3.1.3

Solution

Upgrade to version 3.1.3 or above.

Last Modified

2022-07-25

source