CVE-2025-62728
中文标题:
(暂无数据)
英文标题:
Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs
漏洞描述
中文描述:
(暂无数据)
英文描述:
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Apache Software Foundation | Apache Hive | - | < 4.2.0 | - |
cpe:2.3:a:apache_software_foundation:apache_hive:*:*:*:*:*:*:*:*
|
| apache | hive | 4.1.0 | - | - |
cpe:2.3:a:apache:hive:4.1.0:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (adp)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-62728 |
2025-12-03 03:24:30 | 2026-01-12 02:12:14 |
| NVD | nvd_CVE-2025-62728 |
2025-12-05 03:00:02 | 2026-01-12 02:27:57 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
- references_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']