CVE-2018-1314 - Vulnerability Details - OpenCVE

In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00692.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Hive

Configuration 1 [-]

OR	cpe:2.3:a:apache:hive::::::::
	cpe:2.3:a:apache:hive::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2018-0760	In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.
Github GHSA	GHSA-jmf4-pq78-f8vj	Moderate severity vulnerability that affects org.apache.hive:hive-jdbc

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/105884
https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727%40%3Cdev.hive.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2018-11-08T14:00:00

Updated: 2024-08-05T03:59:39.039Z

Reserved: 2017-12-07T00:00:00

Link: CVE-2018-1314

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-11-08T14:29:00.273

Modified: 2024-11-21T03:59:36.527

Link: CVE-2018-1314

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Hive", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "All versions of Hive including 2.3.3, 3.1.0 and earlier"}]}], "datePublic": "2018-11-07T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache Hive 2.3.3, 3.1.0 and earlier, Hive \"EXPLAIN\" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do \"EXPLAIN\" on arbitrary table or view and expose table metadata and statistics."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-11-13T10:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "105884", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105884"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727%40%3Cdev.hive.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2018-1314", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Hive", "version": {"version_data": [{"version_value": "All versions of Hive including 2.3.3, 3.1.0 and earlier"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Hive 2.3.3, 3.1.0 and earlier, Hive \"EXPLAIN\" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do \"EXPLAIN\" on arbitrary table or view and expose table metadata and statistics."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "105884", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105884"}, {"name": "https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727@%3Cdev.hive.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727@%3Cdev.hive.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:59:39.039Z"}, "title": "CVE Program Container", "references": [{"name": "105884", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105884"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727%40%3Cdev.hive.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1314", "datePublished": "2018-11-08T14:00:00", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2024-08-05T03:59:39.039Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*", "matchCriteriaId": "99DDFB6E-9EF9-4057-A755-62BFD92FBC16", "versionEndIncluding": "2.3.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*", "matchCriteriaId": "74E0A78C-9403-4F6E-B733-E3A26F07124B", "versionEndIncluding": "3.1.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Hive 2.3.3, 3.1.0 and earlier, Hive \"EXPLAIN\" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do \"EXPLAIN\" on arbitrary table or view and expose table metadata and statistics."}, {"lang": "es", "value": "En Apache Hive en sus versiones 2.3.3, 3.1.0 y anteriores, la operaci\u00f3n \"EXPLAIN\" de Hive no comprueba la autorizaci\u00f3n necesaria de las entidades implicadas en una consulta. Un usuario no autorizado puede hacer \"EXPLAIN\" en una tabla o vista arbitrarias y exponer los metadatos y estad\u00edsticas de la tabla."}], "id": "CVE-2018-1314", "lastModified": "2024-11-21T03:59:36.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-08T14:29:00.273", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105884"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727%40%3Cdev.hive.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105884"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/3da47dbcbf09697387f29d2f1aed970523b6b334d93afd3cced23727%40%3Cdev.hive.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}