Severity: moderate
Affected versions:
- Apache Hive 4.0.0-alpha-1 before 4.0.0
Description:
Improper Control of Generation of Code ('Code Injection') vulnerability in
Apache Hive.
The vulnerability affects the Hive JDBC driver component and it can potentially
lead to arbitrary code execution
I think the shading should be fixed instead restoring this core jar.
Providing a core-jar means that we support it and I think that would be a bad
move:
I believe its an irrational expectation from any project to use the same or
compatible deps as against hive-exec was compiled!
For example hive
I agree that shaded hive-exec should be the proper way to go, however, ATM it's
a show-stopper for many downstream projects to upgrade.
Also based on the mail threads, they clearly understand the risks of using an
unshaded jar but still insist on keeping it.
If we'd like to improve the project
