QwikSec

Security Database

CVE

CWE

Training

CVE-2018-1284

Published: Apr 5, 2018

Modified: Sep 16, 2024

PUBLISHED

Description

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.

Vendor	Product	Versions
Apache Software Foundation	Apache Hive	affected `0.6.0 to 2.3.2`

References

[dev] 20180404 [SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access

mailing-list

x_refsource_MLIST

vdb-entry

x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.