Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
History

Thu, 05 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache hive
CPEs cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache hive
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 05 Dec 2024 11:00:00 +0000

Type Values Removed Values Added
References

Thu, 05 Dec 2024 10:15:00 +0000

Type Values Removed Values Added
Description Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.
Title Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore
Weaknesses CWE-502
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-12-05T10:01:41.692Z

Updated: 2024-12-05T17:02:05.659Z

Reserved: 2022-09-20T14:55:51.817Z

Link: CVE-2022-41137

cve-icon Vulnrichment

Updated: 2024-12-05T10:03:34.734Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-12-05T10:15:04.450

Modified: 2024-12-05T17:15:07.033

Link: CVE-2022-41137

cve-icon Redhat

No data.