Platform
java
Component
org.apache.hive:hive
Fixed in
0.13.1
CVE-2014-0228 is a security vulnerability affecting Apache Hive versions up to 0.13.0. This flaw allows authenticated remote users to potentially access sensitive information through crafted URIs used in import and export operations. The vulnerability arises when Hive operates in SQL standards-based authorization mode, failing to properly validate file permissions. A fix is available in version 0.13.1.
An attacker exploiting CVE-2014-0228 can leverage crafted URIs within import and export statements to bypass file permission checks. This bypass allows them to read files that they should not have access to, potentially exposing sensitive data stored within Hive. The scope of data exposure depends on the permissions of the files accessible through the Hive metastore. While the CVSS score is LOW, the potential for data leakage, especially in environments where Hive stores sensitive data, warrants immediate attention. This vulnerability highlights the importance of proper authorization and access control configurations within Hive deployments.
CVE-2014-0228 was publicly disclosed in 2018. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits are readily available. It is not listed on the CISA KEV catalog. The vulnerability's LOW severity and lack of public exploits suggest a relatively low exploitation probability.
Exploit Status
EPSS
0.32% (55% percentile)
The primary mitigation for CVE-2014-0228 is to upgrade Apache Hive to version 0.13.1 or later. If upgrading is not immediately feasible, consider disabling SQL standards-based authorization mode as a temporary workaround, although this may impact other functionalities. Review and restrict file permissions within the Hive metastore to limit the potential impact of a successful exploit. Regularly audit Hive configurations and access controls to identify and address potential vulnerabilities. After upgrading, confirm the fix by attempting an import/export operation with a URI that should be denied access.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2014-0228 is a vulnerability in Apache Hive versions up to 0.13.0 that allows authenticated users to access sensitive information via crafted URIs in import/export statements when using SQL standards-based authorization.
You are affected if you are running Apache Hive versions 0.13.0 or earlier and have SQL standards-based authorization enabled.
Upgrade Apache Hive to version 0.13.1 or later. As a temporary workaround, disable SQL standards-based authorization mode.
There is no indication of active exploitation campaigns targeting CVE-2014-0228 at this time.
Refer to the Apache Hive security page for details: https://hive.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.