*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-20445
### Vulnerable Library - netty-all-4.0.52.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-20444
### Vulnerable Library - netty-all-4.0.52.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-25638
### Vulnerable Library - dnsjava-2.1.7.jar
dnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-25642
### Vulnerable Library - hadoop-yarn-server-resourcemanager-3.1.0.jar
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-9492
### Vulnerable Libraries - hadoop-hdfs-3.1.0.jar, hadoop-hdfs-client-3.1.0.jar
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
An issue was discovered json-io thru 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
For more information on CVSS3 Scores, click here.
CVE-2021-37137
### Vulnerable Library - netty-all-4.0.52.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-37136
### Vulnerable Library - netty-all-4.0.52.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-34538
### Vulnerable Libraries - hive-metastore-3.1.2.jar, hive-standalone-metastore-3.1.2.jar
### hive-metastore-3.1.2.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-7238
### Vulnerable Library - netty-all-4.0.52.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2020-01-27
Fix Resolution (io.netty:netty-all): 4.1.44.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-16869
### Vulnerable Library - netty-all-4.0.52.Final.jar
Netty is an asynchronous event-driven network application framework for
rapid development of maintainable high performance protocol servers and
clients.
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - hive-jdbc-3.1.2.jar
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44228
### Vulnerable Library - log4j-core-2.10.0.jarThe Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-common-3.1.2.jar - log4j-slf4j-impl-2.10.0.jar - :x: **log4j-core-2.10.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Publish Date: 2021-12-10
URL: CVE-2021-44228
### CVSS 3 Score Details (10.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-10
Fix Resolution (org.apache.logging.log4j:log4j-core): 2.12.2
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-46337
### Vulnerable Library - derby-10.14.1.0.jarContains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Library home page: http://db.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-service-3.1.2.jar - hive-metastore-3.1.2.jar - hive-standalone-metastore-3.1.2.jar - :x: **derby-10.14.1.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsA cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. Mitigation: Users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.
Publish Date: 2023-11-20
URL: CVE-2022-46337
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/DERBY-7147
Release Date: 2023-11-20
Fix Resolution (org.apache.derby:derby): 10.17.1.0
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-26612
### Vulnerable Library - hadoop-common-3.1.0.jarApache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-0.23-3.1.2.jar - hadoop-yarn-server-resourcemanager-3.1.0.jar - hadoop-yarn-server-common-3.1.0.jar - hadoop-yarn-registry-3.1.0.jar - :x: **hadoop-common-3.1.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
Publish Date: 2022-04-07
URL: CVE-2022-26612
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-26612
Release Date: 2022-04-07
Fix Resolution (org.apache.hadoop:hadoop-common): 3.1.3
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-25168
### Vulnerable Library - hadoop-common-3.1.0.jarApache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-0.23-3.1.2.jar - hadoop-yarn-server-resourcemanager-3.1.0.jar - hadoop-yarn-server-common-3.1.0.jar - hadoop-yarn-registry-3.1.0.jar - :x: **hadoop-common-3.1.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Publish Date: 2022-08-04
URL: CVE-2022-25168
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Release Date: 2022-08-04
Fix Resolution (org.apache.hadoop:hadoop-common): 3.2.4
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-20445
### Vulnerable Library - netty-all-4.0.52.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - hadoop-hdfs-3.1.0.jar - :x: **netty-all-4.0.52.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution (io.netty:netty-all): 4.1.44.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-20444
### Vulnerable Library - netty-all-4.0.52.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - hadoop-hdfs-3.1.0.jar - :x: **netty-all-4.0.52.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution (io.netty:netty-all): 4.1.44.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-45046
### Vulnerable Library - log4j-core-2.10.0.jarThe Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-common-3.1.2.jar - log4j-slf4j-impl-2.10.0.jar - :x: **log4j-core-2.10.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIt was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Publish Date: 2021-12-14
URL: CVE-2021-45046
### CVSS 3 Score Details (9.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-14
Fix Resolution (org.apache.logging.log4j:log4j-core): 2.12.2
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2024-25638
### Vulnerable Library - dnsjava-2.1.7.jardnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.
Library home page: http://www.dnsjava.org
Path to dependency file: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hadoop-libraries-bundle/nifi-hadoop-libraries-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-0.23-3.1.2.jar - hadoop-yarn-server-resourcemanager-3.1.0.jar - hadoop-yarn-server-common-3.1.0.jar - hadoop-yarn-registry-3.1.0.jar - :x: **dnsjava-2.1.7.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsdnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
Publish Date: 2024-07-22
URL: CVE-2024-25638
### CVSS 3 Score Details (8.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
Release Date: 2024-07-22
Fix Resolution (dnsjava:dnsjava): 3.6.0
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-25642
### Vulnerable Library - hadoop-yarn-server-resourcemanager-3.1.0.jarApache Hadoop Project POM
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-0.23-3.1.2.jar - :x: **hadoop-yarn-server-resourcemanager-3.1.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
Publish Date: 2022-08-25
URL: CVE-2021-25642
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150
Release Date: 2022-08-25
Fix Resolution (org.apache.hadoop:hadoop-yarn-server-resourcemanager): 3.2.4
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-9492
### Vulnerable Libraries - hadoop-hdfs-3.1.0.jar, hadoop-hdfs-client-3.1.0.jar### hadoop-hdfs-3.1.0.jar
Apache Hadoop HDFS
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - :x: **hadoop-hdfs-3.1.0.jar** (Vulnerable Library) ### hadoop-hdfs-client-3.1.0.jar
Apache Hadoop HDFS Client
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-service-3.1.2.jar - hive-metastore-3.1.2.jar - hbase-client-2.0.0-alpha4.jar - hbase-hadoop2-compat-2.0.0-alpha4.jar - hadoop-mapreduce-client-core-3.1.0.jar - :x: **hadoop-hdfs-client-3.1.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
Publish Date: 2021-01-26
URL: CVE-2020-9492
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E
Release Date: 2024-09-03
Fix Resolution (org.apache.hadoop:hadoop-hdfs): 3.1.4
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
Fix Resolution (org.apache.hadoop:hadoop-hdfs-client): 3.1.4
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-8029
### Vulnerable Library - hadoop-common-3.1.0.jarApache Hadoop Common
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-0.23-3.1.2.jar - hadoop-yarn-server-resourcemanager-3.1.0.jar - hadoop-yarn-server-common-3.1.0.jar - hadoop-yarn-registry-3.1.0.jar - :x: **hadoop-common-3.1.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
Publish Date: 2019-05-30
URL: CVE-2018-8029
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8029
Release Date: 2019-05-30
Fix Resolution (org.apache.hadoop:hadoop-common): 3.1.1
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2024-36114
### Vulnerable Library - aircompressor-0.10.jarCompression algorithms
Library home page: http://github.com/airlift/aircompressor
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - :x: **aircompressor-0.10.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.
Publish Date: 2024-05-29
URL: CVE-2024-36114
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
Release Date: 2024-05-29
Fix Resolution (io.airlift:aircompressor): 0.27
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-34610
### Vulnerable Library - json-io-2.5.1.jarJava JSON serialization
Library home page: https://github.com/jdereg/json-io
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-0.23-3.1.2.jar - hadoop-yarn-server-resourcemanager-3.1.0.jar - hadoop-yarn-server-applicationhistoryservice-3.1.0.jar - fst-2.50.jar - java-util-1.9.0.jar - :x: **json-io-2.5.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue was discovered json-io thru 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
Publish Date: 2023-06-14
URL: CVE-2023-34610
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.CVE-2021-37137
### Vulnerable Library - netty-all-4.0.52.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - hadoop-hdfs-3.1.0.jar - :x: **netty-all-4.0.52.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-all): 4.1.68.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-37136
### Vulnerable Library - netty-all-4.0.52.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - hadoop-hdfs-3.1.0.jar - :x: **netty-all-4.0.52.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-all): 4.1.68.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-34538
### Vulnerable Libraries - hive-metastore-3.1.2.jar, hive-standalone-metastore-3.1.2.jar### hive-metastore-3.1.2.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-service-3.1.2.jar - :x: **hive-metastore-3.1.2.jar** (Vulnerable Library) ### hive-standalone-metastore-3.1.2.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-service-3.1.2.jar - hive-metastore-3.1.2.jar - :x: **hive-standalone-metastore-3.1.2.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
Publish Date: 2022-07-16
URL: CVE-2021-34538
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354
Release Date: 2022-07-16
Fix Resolution (org.apache.hive:hive-metastore): 3.1.3
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 3.1.3
Fix Resolution (org.apache.hive:hive-standalone-metastore): 3.1.3
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 3.1.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-7238
### Vulnerable Library - netty-all-4.0.52.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - hadoop-hdfs-3.1.0.jar - :x: **netty-all-4.0.52.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsNetty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Publish Date: 2020-01-27
URL: CVE-2020-7238
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-01-27
Fix Resolution (io.netty:netty-all): 4.1.44.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-16869
### Vulnerable Library - netty-all-4.0.52.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - orc-core-1.5.6.jar - hadoop-hdfs-3.1.0.jar - :x: **netty-all-4.0.52.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsNetty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution (io.netty:netty-all): 4.1.42.Final
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-0205
### Vulnerable Library - libthrift-0.9.3.jarThrift is a software framework for scalable cross-language services development.
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-common-3.1.2.jar - :x: **libthrift-0.9.3.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-28
URL: CVE-2019-0205
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-28
Fix Resolution (org.apache.thrift:libthrift): 0.13.0
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-1320
### Vulnerable Library - libthrift-0.9.3.jarThrift is a software framework for scalable cross-language services development.
Path to dependency file: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-nar/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml
Dependency Hierarchy: - hive-jdbc-3.1.2.jar (Root Library) - hive-common-3.1.2.jar - hive-shims-3.1.2.jar - hive-shims-common-3.1.2.jar - :x: **libthrift-0.9.3.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Publish Date: 2019-01-07
URL: CVE-2018-1320
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320
Release Date: 2019-01-07
Fix Resolution (org.apache.thrift:libthrift): 0.9.3-1
Direct dependency fix Resolution (org.apache.hive:hive-jdbc): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.