| Vulnerability Name: | CVE-2021-34538 (CCN-231404) | ||||||||||||
| Assigned: | 2021-06-10 | ||||||||||||
| Published: | 2022-07-15 | ||||||||||||
| Updated: | 2022-07-21 | ||||||||||||
| Summary: | Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious. | ||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-306 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-34538 Source: XF Type: UNKNOWN apache-cve202134538-sec-bypass(231404) Source: CCN Type: Apache Web site Apache Hive Source: CCN Type: Apache Mailing List, Monday, Friday, July 15, 2022 5:40:36 PM EDT CVE-2021-34538: Security vulnerability in Hive with UDFs Source: CONFIRM Type: Mailing List, Vendor Advisory N/A Source: CCN Type: IBM Security Bulletin 6830243 (QRadar User Behavior Analytics) Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics Source: CCN Type: IBM Security Bulletin 6988651 (InfoSphere Information Server) IBM InfoSphere Information Server is affected by a vulnerability in Apache Hive (CVE-2021-34538) | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||