CVE-2018-1314

Vulnerability

In Apache Hive versions 2.3.3, 3.1.0, and earlier, the EXPLAIN operation does not perform authorization checks for the tables or views referenced in a query [1]. This means any authenticated Hive user, even those without explicit SELECT or other permissions on the target entity, can execute EXPLAIN on arbitrary tables or views [1][2].

Exploitation

An attacker only needs Hive CLI or JDBC/ODBC access with a valid Hive user account [1]. No special privileges are required beyond basic authentication. The attacker simply runs a query like EXPLAIN SELECT * FROM target_table or EXPLAIN SELECT * FROM target_view to trigger the unauthorized metadata disclosure [1].

Impact

The attacker gains access to table and view metadata, including schema definitions, column names, data types, partition information, and basic statistics (e.g., row count estimates, file sizes) [1]. This information leakage can aid an attacker in planning further attacks or extracting sensitive business logic from the schema. The compromise is limited to information disclosure (breach of confidentiality) with no direct modification or deletion of data possible through this vulnerability [1].

Mitigation

Apache Hive has released patched versions: 2.3.4 and 3.1.1 [2]. Users should upgrade to these versions or later. There is no documented workaround other than upgrading [2]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.