CVE-2022-41137

HIGH EPSS 73.6%
Published Dec 5, 20241y ago · Modified Jun 17, 20262w ago
8.3 CVSS 3.1
High
Find Similar
Published Dec 5, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

CVSS Details

Base Score
8.3
Exploitability
2.8
Impact
5.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
73.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
apachehive4.0.0any

References 5

  • openwall.com http://www.openwall.com/lists/oss-security/2024/12/04/2
    Mailing ListThird Party Advisory
  • github.com https://github.com/apache/hive
    Product
  • github.com https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9
    Patch
  • issues.apache.org https://issues.apache.org/jira/browse/HIVE-26539
    Issue Tracking
  • lists.apache.org https://lists.apache.org/thread/jwtr3d9yovf2wo0qlxvkhoxnwxxyzgts
    Mailing ListVendor Advisory

Remediation

  • github.com https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9
    Patch