Miggo Logo

CVE-2021-40331: Apache Ranger Hive Plugin missing permissions check

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.26679%
Published
5/5/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.ranger:ranger-hive-pluginmaven>= 2.0.0, < 2.4.02.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks for the ALTERTABLE_OWNER operation in the checkPrivileges method. The commit diff shows the addition of an else-if branch specifically for ALTERTABLE_OWNER, which constructs an access request requiring ALTER permission. Prior to this fix, the absence of this handling allowed users with only SELECT privileges to perform ownership changes, violating proper permission assignment. The targeted patch and CVE description confirm this was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n In*orr**t P*rmission *ssi*nm*nt *or *riti**l R*sour** vuln*r**ility w*s *oun* in t** *p**** R*n**r *iv* Plu*in. *ny us*r wit* S*L**T privil*** on * **t***s* **n *lt*r t** own*rs*ip o* t** t**l* in *iv* w**n *p**** R*n**r *iv* Plu*in is *n**l** T*i

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks *or t** *LT*RT**L*_OWN*R op*r*tion in t** ****kPrivil***s m*t*o*. T** *ommit *i** s*ows t** ***ition o* *n *ls*-i* *r*n** sp**i*i**lly *or *LT*RT**L*_OWN*R, w*i** *onstru*ts *n ****ss r*qu*st