CVE-2021-34538 — HIGH (7.5)

Q: How severe is CVE-2021-34538?

CVE-2021-34538 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-34538?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Hive.

Vulnerability Description

Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Hive	< 3.1.3

Related Weaknesses (CWE)

CWE-306

References

https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354Mailing ListVendor Advisory
https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354Mailing ListVendor Advisory

FAQ

What is CVE-2021-34538?

CVE-2021-34538 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an ...

How severe is CVE-2021-34538?

CVE-2021-34538 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-34538?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Hive.