[
https://issues.apache.org/jira/browse/HIVE-28594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stamatis Zampetakis updated HIVE-28594:
---------------------------------------
Security: Public (was: Non-Public)
> HS2 WebUI's LDAP authentication has security issues
> ---------------------------------------------------
>
> Key: HIVE-28594
> URL: https://issues.apache.org/jira/browse/HIVE-28594
> Project: Hive
> Issue Type: Bug
> Security Level: Public(Viewable by anyone)
> Components: Web UI
> Reporter: Stamatis Zampetakis
> Assignee: Zhihua Deng
> Priority: Blocker
> Fix For: 4.1.0
>
> Attachments: image-20241025124321373.png
>
>
> In the following commit, we noticed that HS2 wanted to add Ldap
> authentication function to WEBUI:
> [https://github.com/apache/hive/commit/d87e2fccc3b0f30f7808cc33d73aae6f07644212#diff-b7bbe8545a21ec7d7e9cfe40ef66444789e332996aaa9e7f1430dbe4822a2c9cR4027]
> However, the following code in LDAPAuthenticationFilter seems to have
> security issues:
> [https://github.com/apache/hive/blob/d87e2fccc3b0f30f7808cc33d73aae6f07644212/service/src/java/org/apache/hive/service/servlet/LDAPAuthenticationFilter.java#L52]
> !image-20241025124321373.png!
> Here, {{request.getRequestURI()}} is used to obtain the access URI and
> {{endswith}} is used to determine the current access route.
> However, for this writing, attackers can use SEMICOLON to forge a URI suffix,
> for example: {{/hiveserver2.jsp;login}}, and this causes permission escape.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
