VYPR
← All advisories
Moderate severityNVD Advisory· Published May 3, 2024· Updated Feb 13, 2025

Apache Hive: Arbitrary command execution via JDBC driver

CVE-2023-35701

Description

Code injection in Apache Hive JDBC driver allows arbitrary code execution on the client machine via a malicious JDBC URL and HTTP server response.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Code injection in Apache Hive JDBC driver allows arbitrary code execution on the client machine via a malicious JDBC URL and HTTP server response.

Vulnerability

Overview

CVE-2023-35701 is a code injection vulnerability in the Apache Hive JDBC driver, specifically in the SSO (Single Sign-On) workflow. The driver fails to properly validate the URI used to open a browser for authentication, allowing an attacker to inject arbitrary commands. This is a classic case of improper control of code generation, where user-supplied input is used in a command execution context without sanitization [1].

Exploitation

An attacker with sufficient permissions to specify or edit JDBC URLs can exploit this by setting up a malicious HTTP server. When a victim's JDBC client attempts a connection using a crafted URL pointing to the attacker's server, the server returns a specially crafted response. This response triggers the execution of arbitrary commands on the client machine. The attack requires the JDBC client process to run under a privileged user for full impact [1].

Impact

Successful exploitation leads to arbitrary code execution on the endpoint running the Hive JDBC driver. This could allow the attacker to compromise the client system, steal data, or pivot to other systems within the network [1].

Mitigation

The vulnerability affects Apache Hive versions from 4.0.0-alpha-1 up to (but not including) 4.0.0. Users are strongly recommended to upgrade to Apache Hive 4.0.0, which includes a fix that validates the SSO URI before use [2][3]. No workarounds are documented.

References
  1. NVD - CVE-2023-35701
  2. HIVE-27554: added control to JDBCBrowser client URL (#4537) (Henri Bi… · apache/hive@7abeb1d
  3. [HIVE-27554] Validate URL used by SSO workflow for JDBC connection

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.hive:hive-jdbcMaven
>= 4.0.0-alpha-1, < 4.0.04.0.0

Affected products

2

Patches

1
7abeb1df463c

HIVE-27554: added control to JDBCBrowser client URL (#4537) (Henri Biestro)

https://github.com/apache/hiveHenribAug 14, 2023via ghsa
commit
4 files changed · +81 9
  • jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java+4 4 modified
    @@ -203,7 +203,6 @@ private Map<String, String> getQueryParams(URI ssoUri)
   @VisibleForTesting
   protected void openBrowserWindow() throws HiveJdbcBrowserException {
     URI ssoUri = clientContext.getSsoUri();
-    Preconditions.checkNotNull(ssoUri, "SSO Url is null");
     try {
       if (Desktop.isDesktopSupported() && Desktop.getDesktop()
           .isSupported(Action.BROWSE)) {
@@ -212,18 +211,19 @@ protected void openBrowserWindow() throws HiveJdbcBrowserException {
         LOG.info(
             "Desktop mode is not supported. Attempting to use OS "
                 + "commands to open the default browser");
+        String ssoUriStr = ssoUri.toString();
         //Desktop is not supported, lets try to open the browser process
         OsType os = getOperatingSystem();
         switch (os) {
           case WINDOWS:
             Runtime.getRuntime()
-                .exec("rundll32 url.dll,FileProtocolHandler " + ssoUri.toString());
+                .exec("rundll32 url.dll,FileProtocolHandler " + ssoUriStr);
             break;
           case MAC:
-            Runtime.getRuntime().exec("open " + ssoUri.toString());
+            Runtime.getRuntime().exec("open " + ssoUriStr);
             break;
           case LINUX:
-            Runtime.getRuntime().exec("xdg-open " + ssoUri.toString());
+            Runtime.getRuntime().exec("xdg-open " + ssoUriStr);
             break;
           case UNKNOWN:
             throw new HiveJdbcBrowserException(
  • jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcSamlRedirectStrategy.java+26 0 modified
    @@ -62,4 +62,30 @@ public boolean isRedirected(
     }
     return super.isRedirected(request, response, context);
   }
+
+  @Override
+  public URI getLocationURI(HttpRequest request, HttpResponse response, HttpContext context) throws ProtocolException {
+    // add our own check to super-call
+    return checkSsoUri(super.getLocationURI(request, response, context));
+  }
+
+  /**
+   * Checks that the URI used to redirect SSO is valid.
+   * @param uri the uri to validate
+   * @return the uri
+   * @throws ProtocolException if uri is null or not http(s) or not absolute
+   */
+  static URI checkSsoUri(URI uri) throws ProtocolException {
+    if (uri == null) {
+      throw new ProtocolException("SSO Url is null");
+    }
+    final String scheme = uri.getScheme();
+    // require https or https and absolute
+    final boolean valid = ("http".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(scheme))
+                          && uri.isAbsolute();
+    if (!valid) {
+      throw new ProtocolException("SSO Url "+uri.toString()+ "is invalid");
+    }
+    return uri;
+  }
 }
  • jdbc/src/java/org/apache/hive/jdbc/saml/IJdbcBrowserClient.java+0 5 modified
    @@ -21,12 +21,7 @@
 import com.google.common.base.Preconditions;
 import com.google.errorprone.annotations.Immutable;
 import java.io.Closeable;
-import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.Map;
 import org.apache.hive.service.auth.saml.HiveSamlUtils;
 
 /**
  • jdbc/src/test/org/apache/hive/jdbc/saml/TestSSOControl.java+51 0 added
    @@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc.saml;
+
+import java.net.URI;
+
+import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class TestSSOControl {
+
+  static boolean checkValid(String uri) {
+    try {
+      HiveJdbcSamlRedirectStrategy.checkSsoUri(new URI(uri));
+      return true;
+    } catch(Exception xany) {
+      return false;
+    }
+  }
+
+  @Test
+  public void testValidURL() {
+    assertTrue(checkValid("https://companya.okta.com"));
+    assertTrue(checkValid("https://companyb.okta.com:8080"));
+    assertTrue(checkValid("https://companyc.okta.com/testpathvalue"));
+  }
+
+  @Test
+  public void testInvalidURL() {
+    assertFalse(checkValid("-a Calculator"));
+    assertFalse(checkValid("This is random text"));
+    assertFalse(checkValid("file://randomfile"));
+  }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.