CVE-2021-34538

HIGH7.5EPSS 0.45%

Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.

Published: 7/17/2022Modified: 11/8/2023

Description

Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.

Affected packages (1)

Maven/org.apache.hive:hivefrom 0, < 3.1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-34538
PATCHhttps://github.com/apache/hive
WEBhttps://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354