Bug 1564357 (CVE-2018-1284) - CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML
Summary: CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to acc...
Keywords:
Status: NEW
Alias: CVE-2018-1284
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1564358
Blocks: 1564360
TreeView+ depends on / blocked
 
Reported: 2018-04-06 04:11 UTC by Sam Fowler
Modified: 2021-02-17 00:32 UTC (History)
4 users (show)

Fixed In Version: hive 2.3.3, hive 3.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2018-04-06 04:11:46 UTC
Apache Hive through version 2.3.2 is vulnerable to the mishandling of xpath UDFs in UDFXPathUtil.java. An attacker could exploit this by passing crafted XML to access arbitrary files.


External References:

https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4@%3Cdev.hive.apache.org%3E


Upstream Issue:

https://issues.apache.org/jira/browse/HIVE-18879


Upstream Patches:

https://issues.apache.org/jira/secure/attachment/12913270/HIVE-18879.1.patch
https://issues.apache.org/jira/secure/attachment/12913453/HIVE-18879.1-branch-2.3.patch

Comment 1 Sam Fowler 2018-04-06 04:12:12 UTC
Created hive tracking bugs for this issue:

Affects: fedora-all [bug 1564358]


Note You need to log in before you can comment on or make changes to this bug.