CVE-2021-34538
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.
7.5
HIGH
CVSS 3.1
EPSS 0.45%
Description
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
How to fix CVE-2021-34538
To remediate CVE-2021-34538, upgrade the affected package to a fixed version below.
- —upgrade to 3.1.3 or later
Is CVE-2021-34538 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |