CVE-2024-29869

Jan. 29, 2025, 3:15 p.m.

5.5
Medium

Description

Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.

Product(s) Impacted

Product Versions
Apache Hive
  • ['4.0.1']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-732
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://github.com/apache/hive
https://github.com/apache/hive/commit/20106e254527f7d71b2e34455c4322e14950c620
https://issues.apache.org/jira/browse/HIVE-28134
https://lists.apache.org/thread/h27ohpyrqf9w1m3c0tqr7x8jg59rcrv6
http://www.openwall.com/lists/oss-security/2025/01/28/4

Tags

CWE-732
security@apache.org
2025-01-28
CVE-2024-29869

CVSS Score

5.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Jan. 28, 2025, 10:15 p.m.
Last Modified: Jan. 29, 2025, 3:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.