Base Score

HIGH8.1

CVE-2021-40331

An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later.

VectorNETWORK

Published Bysecurity@apache.org

Published DateMay 05, 2023, 08:15

Affected Versions(1)

org.apache.ranger:ranger-hive-plugin(Maven)

Introduced2.0.0

Fixed2.4.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.ranger:ranger-hive-plugin(Maven)	2.0.0	2.4.0	N/A

Weakness Type (CWE):CWE-732

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

https://lists.apache.org/thread/s68yls6cnkdmzn1k4hqt50vs6wjvt2rn

Base Score

HIGH8.1

Weakness Type (CWE):CWE-732

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE