CVE-2021-34538: Apache Hive Security vulnerability in Hive with UDFs
First published: Sat Jul 16 2022(Updated: )
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Hive | <3.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-34538?
CVE-2021-34538 is a vulnerability in Apache Hive before version 3.1.3 that allows unauthorized users to manipulate existing UDFs without proper authorization.
What is the severity of CVE-2021-34538?
The severity of CVE-2021-34538 is high, with a severity value of 7.5.
How does CVE-2021-34538 affect Apache Hive?
CVE-2021-34538 affects Apache Hive versions before 3.1.3.
What is the impact of CVE-2021-34538?
The impact of CVE-2021-34538 is that unauthorized or underprivileged users can manipulate existing UDFs without the necessary privileges.
Is there a fix for CVE-2021-34538?
Yes, upgrading to Apache Hive version 3.1.3 or later fixes CVE-2021-34538.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/apache
- canonical/apache hive