Vulnerability Details : CVE-2021-34538
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
Products affected by CVE-2021-34538
- cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-34538
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-34538
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-34538
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2021-34538
-
https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354
[Security] CVE-2021-34538: Security vulnerability in Hive with UDFs-Apache Mail ArchivesMailing List;Vendor Advisory
Jump to