CVE-2024-29869 — Apache Hive Incorrectly Assigns Permissions for a Critical Resource

Description

Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.

How to fix CVE-2024-29869

To remediate CVE-2024-29869, upgrade the affected package to a fixed version below.

—upgrade to 4.0.1 or later

Is CVE-2024-29869 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-29869
PATCHgithub.com/apache/hive
WEBgithub.com/apache/hive/commit/20106e254527f7d71b2e34455c4322e14950c620
WEBissues.apache.org/jira/browse/HIVE-28134
WEB