CVE-2023-35701 in Hive
Summary
by MITRE • 05/03/2024
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive.
The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to specify/edit JDBC URL(s) in an endpoint relying on the Hive JDBC driver and the JDBC client process must run under a privileged user to fully exploit the vulnerability.
The attacker can setup a malicious HTTP server and specify a JDBC URL pointing towards this server. When a JDBC connection is attempted, the malicious HTTP server can provide a special response with customized payload that can trigger the execution of certain commands in the JDBC client.This issue affects Apache Hive: from 4.0.0-alpha-1 before 4.0.0.
Users are recommended to upgrade to version 4.0.0, which fixes the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2025
The CVE-2023-35701 vulnerability represents a critical code injection flaw within Apache Hive's JDBC driver component, classified under the CWE-94 category of Improper Control of Generation of Code. This vulnerability exists in the Hive JDBC driver implementation and creates a pathway for remote code execution on systems where the JDBC client operates. The flaw specifically manifests when the JDBC client processes JDBC connection URLs that point to untrusted endpoints, allowing malicious actors to inject and execute arbitrary commands within the context of the JDBC client process. The vulnerability operates through a sophisticated attack vector that leverages the JDBC driver's trust model and its handling of remote connection parameters.
The technical exploitation of this vulnerability requires a specific set of conditions to be met for successful compromise. An attacker must first gain the ability to modify or specify JDBC connection URLs within an environment that utilizes the Hive JDBC driver, which typically involves having administrative or configuration privileges within the application or system that consumes the JDBC driver. Additionally, the JDBC client process itself must execute with elevated privileges, as this determines the scope and impact of potential code execution. The attack methodology involves setting up a malicious HTTP server that responds to connection attempts with specially crafted payloads designed to trigger command execution within the JDBC client context. This approach aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter, specifically targeting the execution of commands through JDBC connections.
The operational impact of this vulnerability extends beyond simple code injection to potentially enable full system compromise when proper privilege separation is not maintained. The vulnerability affects Apache Hive versions from 4.0.0-alpha-1 through the pre-release versions, indicating that this flaw existed in the development lifecycle before the official 4.0.0 release. The attack surface is particularly concerning for environments where Hive JDBC drivers are used in enterprise applications, data processing pipelines, or any system where JDBC connections are established programmatically. When exploited, the vulnerability can allow attackers to execute arbitrary commands with the privileges of the JDBC client process, potentially leading to data exfiltration, system enumeration, or further lateral movement within the network infrastructure. The vulnerability's impact is amplified in environments where JDBC clients run with elevated privileges or where the JDBC driver is used in automated processes.
Organizations should prioritize immediate remediation through upgrading to Apache Hive version 4.0.0 or later, which contains the necessary patches to address this vulnerability. The fix implemented in version 4.0.0 specifically addresses the improper handling of JDBC URL parameters and strengthens the validation mechanisms for connection strings. Additional mitigations should include implementing strict network segmentation to prevent unauthorized access to systems running Hive JDBC clients, enforcing least privilege principles for JDBC client processes, and monitoring for suspicious JDBC connection patterns or attempts to establish connections to unexpected endpoints. Security teams should also consider implementing network-level controls to block outbound connections from JDBC clients to unknown or untrusted HTTP servers, as this can prevent exploitation attempts even if other controls fail. The vulnerability demonstrates the importance of proper input validation in database driver components and highlights the need for security-conscious development practices in enterprise data processing frameworks.