Apache Hive
20 CVEs affecting Apache Hive. Latest disclosed: 2025-11-26. Critical: 2, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2018-21234 | Critical | 9.8 | 2020-05-21 | Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set. |
CVE-2018-1282 | Critical | 9.1 | 2018-04-05 | This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC dr… |
CVE-2022-41137 | High | 8.3 | 2024-12-05 | Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and c… |
CVE-2015-7521 | High | 8.3 | 2016-01-29 | The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows att… |
CVE-2018-11777 | High | 8.1 | 2018-11-08 | In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql sta… |
CVE-2021-34538 | High | 7.5 | 2022-07-16 | Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found tha… |
CVE-2020-13949 | High | 7.5 | 2021-02-12 | In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denia… |
CVE-2016-3083 | High | 7.5 | 2017-05-30 | Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificat… |
CVE-2015-1772 | High | 7.3 | 2015-12-21 | The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and… |
CVE-2023-35701 | Medium | 6.6 | 2024-05-03 | Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can po… |
CVE-2024-23953 | Medium | 6.5 | 2025-01-28 | Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte… |
CVE-2024-23945 | Medium | 5.9 | 2024-12-23 | Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps p… |
CVE-2020-1926 | Medium | 5.9 | 2021-03-16 | Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of a… |
CVE-2024-29869 | Medium | 5.5 | 2025-01-28 | Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. A… |
CVE-2025-62728 | Medium | 5.4 | 2025-11-26 | SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exp… |
CVE-2018-1314 | Medium | 4.3 | 2018-11-08 | In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized u… |
CVE-2017-12625 | Medium | 4.3 | 2017-11-01 | Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views… |
CVE-2018-1315 | Low | 3.7 | 2018-04-05 | In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to… |
CVE-2018-1284 | Low | 3.7 | 2018-04-05 | In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath… |
CVE-2014-0228 | | 2014-11-16 | Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statement… |