CVE-2018-1284 — Exposure of Sensitive Information to an Unauthorized Actor in Apache hive

Description

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.

How to fix CVE-2018-1284

To remediate CVE-2018-1284, upgrade the affected package to a fixed version below.

—upgrade to 2.3.3 or later
—upgrade to 2.3.3 or later
—upgrade to 2.3.3 or later

Is CVE-2018-1284 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 0.6.0, < 2.3.3
>= 0.6.0, < 2.3.3
>= 0.6.0, < 2.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (6)

ADVISORYgithub.com/advisories/GHSA-rxmr-c9jm-7mm8
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1284
WEBgithub.com/apache/hive/commit/f80a38ae1174553022deae4f8774918401d9756d
WEBissues.apache.org/jira/browse/HIVE-18879