Platform
java
Component
org.apache.hive:hive
Fixed in
2.3.3
CVE-2018-1284 describes an XPath injection vulnerability affecting Apache Hive versions 0.6.0 through 2.3.2. This flaw allows a malicious user, through the misuse of XPath User-Defined Functions (UDFs), to potentially expose file content on the machine running HiveServer2. The vulnerability is rated as LOW severity and can be resolved by upgrading to version 2.3.3.
An attacker can leverage this vulnerability by crafting malicious XPath queries through UDFs like xpath, xpath_string, and related functions. If hive.server2.enable.doAs=false, the HiveServer2 process runs with the privileges of the 'hive' user. Successful exploitation could lead to the exposure of sensitive files owned by this user, potentially including configuration files, credentials, or other data. The blast radius is limited to the HiveServer2 machine and the files accessible by the 'hive' user. While not a direct remote code execution (RCE) vulnerability, the information disclosure could be a stepping stone for further attacks.
CVE-2018-1284 was publicly disclosed on November 21, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. While a public proof-of-concept may exist, it has not been widely reported. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score reflects the limited impact and difficulty of exploitation.
Exploit Status
EPSS
0.47% (64% percentile)
CVSS Vector
The primary mitigation for CVE-2018-1284 is to upgrade Apache Hive to version 2.3.3 or later, which contains the fix. If upgrading is not immediately feasible, consider temporarily disabling the use of XPath UDFs by configuring hive.support.concurrency=false and restricting user access to sensitive files. Monitor HiveServer2 logs for suspicious XPath queries. Implement a Web Application Firewall (WAF) with rules to detect and block malicious XPath expressions. After upgrading, verify the fix by attempting to execute a known malicious XPath query and confirming that it no longer exposes file content.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2018-1284 is a LOW severity vulnerability in Apache Hive versions 0.6.0 to 2.3.2 that allows attackers to potentially expose file content through malicious XPath queries.
You are affected if you are using Apache Hive versions 0.6.0 through 2.3.2 and have not upgraded. Check your configuration for hive.server2.enable.doAs=false.
Upgrade Apache Hive to version 2.3.3 or later. As a temporary workaround, disable XPath UDFs or restrict user access to sensitive files.
There is no current evidence of active exploitation campaigns targeting CVE-2018-1284.
Refer to the Apache Hive security page for details: https://hive.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.