Apache Hive through version 2.3.2 is vulnerable to the mishandling of xpath UDFs in UDFXPathUtil.java. An attacker could exploit this by passing crafted XML to access arbitrary files. External References: https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868f73ccfdff46c7174b4@%3Cdev.hive.apache.org%3E Upstream Issue: https://issues.apache.org/jira/browse/HIVE-18879 Upstream Patches: https://issues.apache.org/jira/secure/attachment/12913270/HIVE-18879.1.patch https://issues.apache.org/jira/secure/attachment/12913453/HIVE-18879.1-branch-2.3.patch
Created hive tracking bugs for this issue: Affects: fedora-all [bug 1564358]