GHSA-gf2v-9hp6-44qg

Source

https://github.com/advisories/GHSA-gf2v-9hp6-44qg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-gf2v-9hp6-44qg/GHSA-gf2v-9hp6-44qg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-gf2v-9hp6-44qg

Aliases

CVE-2016-3083

Published

2019-03-14T15:40:32Z

Modified

2023-11-01T04:46:53.331261Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

org.apache.hive:hive, org.apache.hive:hive-exec, and org.apache.hive:hive-service vulnerable to Improper Certificate Validation

Details

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:36:59Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}

References

Affected packages

Maven / org.apache.hive:hive

Package

Name: org.apache.hive:hive; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.2

Affected versions

0.*

0.13.0

0.13.1

0.14.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.2.0

1.2.1

Maven / org.apache.hive:hive

Package

Name: org.apache.hive:hive; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.1

Affected versions

2.*

2.0.0

Maven / org.apache.hive:hive-service

Package

Name: org.apache.hive:hive-service; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive-service

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.2

Affected versions

0.*

0.8.0

0.8.1

0.9.0

0.10.0

0.11.0

0.12.0

0.13.0

0.13.1

0.14.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.2.0

1.2.1

Maven / org.apache.hive:hive-service

Package

Name: org.apache.hive:hive-service; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive-service

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.1

Affected versions

2.*

2.0.0

Maven / org.apache.hive:hive-exec

Package

Name: org.apache.hive:hive-exec; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive-exec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.2

Affected versions

0.*

0.8.0

0.8.1

0.9.0

0.10.0

0.11.0

0.12.0

0.13.0

0.13.1

0.14.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.2.0

1.2.1

Maven / org.apache.hive:hive-exec

Package

Name: org.apache.hive:hive-exec; View open source insights on deps.dev
Purl: pkg:maven/org.apache.hive/hive-exec

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.1

Affected versions

2.*

2.0.0