Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.
In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
Metrics
Affected Vendors & Products
References
History
Thu, 05 Dec 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache hive |
|
CPEs | cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache hive |
|
Metrics |
cvssV3_1
|
Thu, 05 Dec 2024 11:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 05 Dec 2024 10:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments. | |
Title | Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore | |
Weaknesses | CWE-502 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-12-05T10:01:41.692Z
Updated: 2024-12-05T17:02:05.659Z
Reserved: 2022-09-20T14:55:51.817Z
Link: CVE-2022-41137
Vulnrichment
Updated: 2024-12-05T10:03:34.734Z
NVD
Status : Awaiting Analysis
Published: 2024-12-05T10:15:04.450
Modified: 2024-12-05T17:15:07.033
Link: CVE-2022-41137
Redhat
No data.