CVE-2024-29869

Published: Jan 28, 2025Modified: Jul 15, 2025

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.

Affected (1)

Products: Apache: Hive

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Hive	From 1.1.0 to 4.0.1

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (5)

https://github.com/apache/hive

Source: security@apache.org

Product

https://github.com/apache/hive/commit/20106e254527f7d71b2e34455c4322e14950c620

Source: security@apache.org

Patch

https://issues.apache.org/jira/browse/HIVE-28134

Source: security@apache.org

Issue Tracking

https://lists.apache.org/thread/h27ohpyrqf9w1m3c0tqr7x8jg59rcrv6

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2025/01/28/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.