U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2022-41137

Change History

CVE Modified by CVE 12/05/2024 5:15:04 AM

Action Type Old Value New Value
Added Reference 

								
							
							
								
							
						
								
							
								
http://www.openwall.com/lists/oss-security/2024/12/04/2

								
								
					

				
			




		

	
		

			 
			

				New CVE Received from Apache Software Foundation 12/05/2024 5:15:04 AM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					

						Added
						Description
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.

In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

								
								
					

					

						Added
						CWE
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
CWE-502

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://github.com/apache/hive

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://issues.apache.org/jira/browse/HIVE-26539

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://lists.apache.org/thread/jwtr3d9yovf2wo0qlxvkhoxnwxxyzgts