Apache Hive: Credentials file created with non restrictive permissions
Description
Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Hive creates a credentials file with default permissions 644 in a temporary directory, allowing local unauthorized users to read sensitive information.
Vulnerability
CVE-2024-29869 affects Apache Hive versions from 1.1.0 up to 4.0.1. The vulnerability lies in the SecureCmdDoAs component where Hive creates a credentials file in a temporary directory with file permissions set to 644 (world-readable) by default when explicit file permissions are not configured [1][4]. This means the file is readable by any user on the system who has access to that temporary directory.
Exploitation
An attacker who is an unauthorized user with local access to the file system where Hive runs can read the credentials file. The attack requires that the attacker can access the temporary directory used by Hive. No special privileges or authentication bypass is needed beyond local user access [2][4].
Impact
Successful reading of the credentials file can expose sensitive information such as authentication tokens or passwords used by Hive to access other services. This can lead to unauthorized access to data or systems that Hive interacts with, potentially compromising the broader Hadoop ecosystem.
Mitigation
The issue is fixed in Apache Hive version 4.0.1 and 4.1.0 [1]. Users are recommended to upgrade to the latest patched version. There is no mention of this vulnerability being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. No workarounds are provided in the references, but administrators can manually set restrictive file permissions as a temporary measure.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hive:hive-execMaven | < 4.0.1 | 4.0.1 |
Affected products
22- osv-coords20 versionspkg:apk/chainguard/spark-3.5pkg:apk/chainguard/spark-3.5-scala-2.12-compatpkg:apk/chainguard/spark-3.5-scala-2.12-iamguarded-compatpkg:apk/chainguard/spark-3.5-scala-2.13-compatpkg:apk/chainguard/spark-4.0pkg:apk/chainguard/spark-4.0-scala-2.13-compatpkg:apk/chainguard/spark-4.1pkg:apk/chainguard/spark-4.1-scala-2.13-compatpkg:apk/chainguard/spark-fips-3.5pkg:apk/chainguard/spark-fips-3.5-scala-2.12-compatpkg:apk/chainguard/spark-fips-3.5-scala-2.13-compatpkg:apk/wolfi/spark-3.5pkg:apk/wolfi/spark-3.5-scala-2.12-compatpkg:apk/wolfi/spark-3.5-scala-2.12-iamguarded-compatpkg:apk/wolfi/spark-3.5-scala-2.13-compatpkg:apk/wolfi/spark-4.0pkg:apk/wolfi/spark-4.0-scala-2.13-compatpkg:apk/wolfi/spark-4.1pkg:apk/wolfi/spark-4.1-scala-2.13-compatpkg:maven/org.apache.hive/hive-exec
< 3.5.7-r2+ 19 more
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.4-r17
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 3.5.7-r2
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 4.0.1
- Apache Software Foundation/Apache Hivev5Range: 1.1.0
Patches
120106e254527HIVE-28134: Improve SecureCmdDoAs. (#5140). (Ayush Saxena, reviewed by Sourabh Badhya)
1 file changed · +9 −1
ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java+9 −1 modified@@ -23,8 +23,10 @@ import java.net.URISyntaxException; import java.util.Map; +import org.apache.hadoop.fs.FSDataOutputStream; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.shims.ShimLoader; @@ -68,7 +70,13 @@ public SecureCmdDoAs(HiveConf conf) throws HiveException, IOException{ tokenPath = new Path(tokenFile.toURI()); //write credential with token to file - cred.writeTokenStorageFile(tokenPath, conf); + FsPermission umask = FsPermission.getUMask(conf); + FsPermission targetPerm = FsPermission.createImmutable((short) 0700); + + try (FSDataOutputStream os = tokenPath.getFileSystem(conf).createFile(tokenPath) + .permission(targetPerm.applyUMask(umask)).build()) { + cred.writeTokenStorageToStream(os, Credentials.SerializedFormat.WRITABLE); + } } public void addEnv(Map<String, String> env){
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/apache/hive/commit/20106e254527f7d71b2e34455c4322e14950c620ghsapatchWEB
- github.com/advisories/GHSA-c476-j253-5rgqghsaADVISORY
- lists.apache.org/thread/h27ohpyrqf9w1m3c0tqr7x8jg59rcrv6ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-29869ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/01/28/4ghsaWEB
- issues.apache.org/jira/browse/HIVE-28134ghsaissue-trackingWEB
News mentions
0No linked articles in our index yet.