{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62728", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-10-21T07:37:11.650Z", "datePublished": "2025-11-26T08:45:37.472Z", "dateUpdated": "2025-11-27T00:12:29.874Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.hive:hive-standalone-metastore-server", "product": "Apache Hive", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.2.0", "status": "affected", "version": "4.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "WuKong (Tencent)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.</p><p>This issue affects Apache Hive: from 4.1.0 before 4.2.0.</p><p>Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set&nbsp;metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.</p>"}], "value": "SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.\n\nThis issue affects Apache Hive: from 4.1.0 before 4.2.0.\n\nUsers are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set\u00a0metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-11-26T10:29:09.543Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g"}], "source": {"defect": ["HIVE-29269"], "discovery": "EXTERNAL"}, "title": "Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/26/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-27T00:12:29.874Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.\n\nThis issue affects Apache Hive: from 4.1.0 before 4.2.0.\n\nUsers are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set\u00a0metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en Hive Metastore Server (HMS) al procesar solicitudes de eliminaci\u00f3n de estad\u00edsticas de columnas a trav\u00e9s de las API T.hrift. La vulnerabilidad solo puede ser explotada por usuarios/aplicaciones de confianza/autorizados a los que se les permite llamar directamente a las API Thrift. En la mayor\u00eda de las implementaciones del mundo real, solo unas pocas aplicaciones (por ejemplo, Hiveserver2) pueden acceder a HMS, por lo que la vulnerabilidad no es explotable. Adem\u00e1s, no se puede acceder al c\u00f3digo vulnerable cuando la propiedad metastore.try.direct.sql est\u00e1 establecida en false. Este problema afecta a Apache Hive: desde la versi\u00f3n 4.1.0 hasta la 4.2.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 4.2.0, que corrige el problema. Se recomienda a los usuarios que no puedan actualizar directamente que establezcan la propiedad metastore.try.direct.sql en false si las API Thrift de HMS est\u00e1n expuestas al p\u00fablico en general."}], "id": "CVE-2025-62728", "lastModified": "2025-11-27T01:15:46.867", "metrics": {}, "published": "2025-11-26T09:15:46.293", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/11/26/3"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"created": "2025-11-27T09:45:59.453456+00:00", "updated": "2025-11-27T09:45:59.453481+00:00", "vendors": ["apache", "apache$PRODUCT$hive"]}