CVE-2018-1284: Exposure of Sensitive Information to an Unauthorized Actor in Apache hive
3.7
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63591%
CWE
Published
11/21/2018
Updated
3/4/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.hive:hive | maven | >= 0.6.0, < 2.3.3 | 2.3.3 |
org.apache.hive:hive-exec | maven | >= 0.6.0, < 2.3.3 | 2.3.3 |
org.apache.hive:hive-service | maven | >= 0.6.0, < 2.3.3 | 2.3.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parsing in UDFXPathUtil. The commit f80a38a shows added XXE protections (disabling external entities) in UDFXPathUtil's initialization. Before this fix, the eval method used a default DocumentBuilderFactory that permitted external entity resolution, enabling file disclosure via malicious XML input. All xpath UDFs (xpath_string, xpath_boolean, etc.) ultimately call this vulnerable eval method, making it the root cause. The test case added in TestUDFXPathUtil.java confirms the exploit scenario involving embedded entities.