[
https://issues.apache.org/jira/browse/HIVE-22073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16898351#comment-16898351
]
Piotr Findeisen edited comment on HIVE-22073 at 8/1/19 8:52 PM:
----------------------------------------------------------------
In {{master}} this seems fixed already by HIVE-20607.
It might be sufficient to backport that change to 3.1 branch
(For context: I'm using Hive 3.1 because this is the version available in
latest HDP (HDP 3.1)).
was (Author: findepi):
In {{master}} this seems fixed already by HIVE-20607.
It might be sufficient to backport that change to 3.1 branch
> SQL Injection in TxnHandler#enqueueLockWithRetry
> ------------------------------------------------
>
> Key: HIVE-22073
> URL: https://issues.apache.org/jira/browse/HIVE-22073
> Project: Hive
> Issue Type: Bug
> Affects Versions: 3.1.1
> Reporter: Piotr Findeisen
> Priority: Critical
>
> The {{org.apache.hadoop.hive.metastore.txn.TxnHandler#enqueueLockWithRetry}}
> method gets called for Thrift {{lock}} API call with input passed from the
> user.
> Within that method there is SQL injection possible:
> [https://github.com/apache/hive/blob/774a8ef7a6e92c8a43cad2fa66bd944e666f75f0/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/txn/TxnHandler.java#L1987-L1991]
> for example, when partition name contains an apostrophe.
>
> Impact:
> * vulnerability: privilege escalation possible
> * availability: user cannot query ACID table where string/varchar partition
> key contains an apostrophe
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
