CVE-2015-1772
Improper Authentication in org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service
7.3
HIGH
CVSS 3.1
EPSS 0.16%
Description
The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.
How to fix CVE-2015-1772
To remediate CVE-2015-1772, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.1 or later
- —upgrade to 1.0.1 or later
- —upgrade to 1.0.1 or later
Is CVE-2015-1772 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 1.0.0, < 1.0.1
- >= 1.0.0, < 1.0.1
- >= 1.0.0, < 1.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (6)
- ADVISORYgithub.com/advisories/GHSA-5gvm-hrw5-h6xf
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1772
- WEBmail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAOpgucy52yzNN1FaRcxwhZmx8ZtNRjmK6V0Bxk4svAD-R1q70Q@mail.gmail.com%3E
- WEBwww.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html