7.5

CVE-2016-3083

EPSS 0.21%
Published 30.05.2017 14:29:00
Last modified 20.04.2025 01:37:25
Source security@apache.org
Teams watchlist Login
Open Login

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) but issued to xyz.com, the client will accept that as a valid certificate and the SSL handshake will go through.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Hive Version0.13.0

Apache ≫ Hive Version0.13.1

Apache ≫ Hive Version0.14.0

Apache ≫ Hive Version1.0.0

Apache ≫ Hive Version1.0.1

Apache ≫ Hive Version1.1.0

Apache ≫ Hive Version1.1.1

Apache ≫ Hive Version1.2.0

Apache ≫ Hive Version1.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.431

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://www.securityfocus.com/bid/98669

https://lists.apache.org/thread.html/0851bcf85635385f94cdaa008053802d92b4aab0a3075e30ed171192%40%3Cdev.hive.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2016-3083

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-3083

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-3083

EUVD