Miggo Logo

CVE-2018-1284: Exposure of Sensitive Information to an Unauthorized Actor in Apache hive

3.7

CVSS Score
3.0

Basic Information

EPSS Score
0.63591%
Published
11/21/2018
Updated
3/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.hive:hivemaven>= 0.6.0, < 2.3.32.3.3
org.apache.hive:hive-execmaven>= 0.6.0, < 2.3.32.3.3
org.apache.hive:hive-servicemaven>= 0.6.0, < 2.3.32.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in UDFXPathUtil. The commit f80a38a shows added XXE protections (disabling external entities) in UDFXPathUtil's initialization. Before this fix, the eval method used a default DocumentBuilderFactory that permitted external entity resolution, enabling file disclosure via malicious XML input. All xpath UDFs (xpath_string, xpath_boolean, etc.) ultimately call this vulnerable eval method, making it the root cause. The test case added in TestUDFXPathUtil.java confirms the exploit scenario involving embedded entities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** *iv* *.*.* to *.*.*, m*li*ious us*r mi**t us* *ny xp*t* U**s (xp*t*/xp*t*_strin*/xp*t*_*ool**n/xp*t*_num**r/xp*t*_*ou*l*/xp*t*_*lo*t/xp*t*_lon*/xp*t*_int/xp*t*_s*ort) to *xpos* t** *ont*nt o* * *il* on t** m***in* runnin* *iv*S*rv*r* own**

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in U**XP*t*Util. T** *ommit ******* s*ows ***** XX* prot**tions (*is**lin* *xt*rn*l *ntiti*s) in U**XP*t*Util's initi*liz*tion. ***or* t*is *ix, t** *v*l m*t*o* us** * ****ult *o*um*nt*uil**r***tory t