Vulnerability CVE-2014-0228

Vulnerability Name:

CVE-2014-0228 (CCN-93794)

Assigned:

2013-12-03

Published:

2014-06-12

Updated:

2018-10-09

Summary:

Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
2.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-284

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2014-0228

Source: CCN
Type: Apache Web site
Hive

Source: MLIST
Type: Vendor Advisory
[hive-user] 20140612 CVE-2014-0228: Apache Hive Authorization vulnerability

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/127091/Apache-Hive-0.13.0-Authorization-Failure.html

Source: CCN
Type: oss-security Mailing List, Thu 12 Jun 2014
CVE-2014-0228: Apache Hive Authorization vulnerability

Source: CCN
Type: OSVDB ID: 108077
Apache Hive SQL Standards Based Authorization Mode Direct Resource Request Bypass

Source: BUGTRAQ
Type: UNKNOWN
20140612 CVE-2014-0228: Apache Hive Authorization vulnerability

Source: CCN
Type: BID-68039
Apache Hive CVE-2014-0228 Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
apache-hive-cve20140228-sec-bypass(93794)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-0228

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:hive:*:*:*:*:*:*:*:* (Version <= 0.13.0)

Configuration CCN 1:

cpe:/a:apache:hive:0.13.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK