216.73.217.64

CVE-2022-41137

· Published 05/12/2024 10:15 · Modified 05/12/2024 17:15

Labels: CVE-2022-41137 2024-12-05CVE-2022-41137CWE-502[email protected]

Essential information

Published
05/12/2024 10:15
Modified
05/12/2024 17:15
Author
Creator
CVSS
8.3 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

CVSS metrics

Description

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References