CVE-2025-62728

SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/26/3	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:hive:4.1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-26 09:15

Updated : 2025-12-04 16:46

NVD link : CVE-2025-62728

Mitre link : CVE-2025-62728

CVE.ORG link : CVE-2025-62728

JSON object : View

Products Affected

apache

hive

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-62728", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2025-11-26T09:15:46.293", "references": [{"url": "https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/26/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.\n\nThis issue affects Apache Hive: from 4.1.0 before 4.2.0.\n\nUsers are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set\u00a0metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en Hive Metastore Server (HMS) al procesar solicitudes de eliminaci\u00f3n de estad\u00edsticas de columnas a trav\u00e9s de las API T.hrift. La vulnerabilidad solo puede ser explotada por usuarios/aplicaciones de confianza/autorizados a los que se les permite llamar directamente a las API Thrift. En la mayor\u00eda de las implementaciones del mundo real, solo unas pocas aplicaciones (por ejemplo, Hiveserver2) pueden acceder a HMS, por lo que la vulnerabilidad no es explotable. Adem\u00e1s, no se puede acceder al c\u00f3digo vulnerable cuando la propiedad metastore.try.direct.sql est\u00e1 establecida en false. Este problema afecta a Apache Hive: desde la versi\u00f3n 4.1.0 hasta la 4.2.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 4.2.0, que corrige el problema. Se recomienda a los usuarios que no puedan actualizar directamente que establezcan la propiedad metastore.try.direct.sql en false si las API Thrift de HMS est\u00e1n expuestas al p\u00fablico en general."}], "lastModified": "2025-12-04T16:46:46.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:hive:4.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40B6BA41-E7FC-4FFE-BEF8-62F1B668E8D1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}