{"id":"CVE-2022-41137","details":"Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.\n\nIn real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.","aliases":["GHSA-6hqr-c69m-r76q"],"modified":"2026-03-14T11:54:40.466712Z","published":"2024-12-05T10:15:04.450Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/jwtr3d9yovf2wo0qlxvkhoxnwxxyzgts"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2024/12/04/2"},{"type":"REPORT","url":"https://issues.apache.org/jira/browse/HIVE-26539"},{"type":"FIX","url":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9"},{"type":"PACKAGE","url":"https://github.com/apache/hive"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/hive","events":[{"introduced":"0"},{"fixed":"60027bb9c91a93affcfebd9068f064bc1f2a74c9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41137.json","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["176252969647808819018956217042418030054","148765723542959021775041479029359294166","109646971673034884526254632607416440396","96777492195815811987895310964170001917","275610775353484647010641099073039938116","186784018516718734145129976931224401193","91040751201010041843362994917424120478","203315196876360469223612076598856915083","297726764222781860821609643520331694883","93185151900701281387028188233629952707","156554147834937369276481875105126795013","331202356562580726519232815468518700730","254172917600993851173986950264644358540","193401062204728262232018650555070648923","200633276573483699658064295815442173545"]},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-0ce99ac7","deprecated":false,"target":{"file":"ql/src/test/org/apache/hadoop/hive/ql/exec/TestSerializationUtilities.java"},"signature_type":"Line"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["263856913626910905354104002981922829013","162790852404277127451425496830849228309","67889690432705714173763375026543483726","18856704957606996723303946333703388103","177172567606494834083022104241806423403","234926539788456250129929320541185100527","326348501204951253055819365028006683721","89674929784629085464548469844115393022","215212851182668798429202669811327828698","234007931132895321726276308777948418358","339964719829410395527165794888369619804","120207412203677137346631569470792912868","153265536178319850165435216646959288526","309222956129500248050813712786945129372","186957300040246786784082552195084652150","205766724276707331664954489763609523545","313807341291995520109622741102043546588","249215863235046194667201175805486663559"]},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-0fc6087f","deprecated":false,"target":{"file":"standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java"},"signature_type":"Line"},{"signature_version":"v1","digest":{"length":387,"function_hash":"29621208303472556323039160039525316033"},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-385e3345","deprecated":false,"target":{"function":"deserializeExpr","file":"ql/src/java/org/apache/hadoop/hive/ql/optimizer/ppr/PartitionExpressionForMetastore.java"},"signature_type":"Function"},{"signature_version":"v1","digest":{"length":452,"function_hash":"125137454714460466793633556305816281759"},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-3dbe38c8","deprecated":false,"target":{"function":"createExpressionProxy","file":"standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java"},"signature_type":"Function"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["54160317792387969614035647418100657180","296746150790626136187213312726909145619","133479562210225632537696404987514320452","172994094651553346583643203842836212636","246513948614157673739246114564643926902","263005736405376511539136982027209196512","57183021538823422327191810049997480919","202447139807854788175261452009892502475"]},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-471b9278","deprecated":false,"target":{"file":"ql/src/java/org/apache/hadoop/hive/ql/optimizer/ppr/PartitionExpressionForMetastore.java"},"signature_type":"Line"},{"signature_version":"v1","digest":{"length":133,"function_hash":"327778368396670354291282487749421437126"},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-5bb23cd3","deprecated":false,"target":{"function":"releaseKryo","file":"ql/src/java/org/apache/hadoop/hive/ql/exec/SerializationUtilities.java"},"signature_type":"Function"},{"signature_version":"v1","digest":{"length":201,"function_hash":"56697521908859849453345942894901448451"},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-871cf77f","deprecated":false,"target":{"function":"deserializeObjectWithTypeInformation","file":"ql/src/java/org/apache/hadoop/hive/ql/exec/SerializationUtilities.java"},"signature_type":"Function"},{"signature_version":"v1","digest":{"length":890,"function_hash":"58445830554887856220949734530226159065"},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-b24dcd9c","deprecated":false,"target":{"function":"initialize","file":"standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java"},"signature_type":"Function"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["239125987013368652811930601419083416938","3095297029928773302791831827849429650","104793357801422377043062502024091782850","194938387532650857879923975758710379764","209305229933614050655028363085689596044","76498419413052270791357166651162051998","227180716914888642545709711978451084886","133501533758232873726091027015031643550","38483496538749636820237160168650857287","226710315466895972320058996717086031143","25773735487705901914145650110757454270","13370894027188427751760949226928666250","284979136164576521226654585713305606734","51630398157720103564879958393021497954","261267976775995942958934979224649310236","36521724375749627793096775629357696308","177118579829607480453942225514121444691"]},"source":"https://github.com/apache/hive/commit/60027bb9c91a93affcfebd9068f064bc1f2a74c9","id":"CVE-2022-41137-c62f2824","deprecated":false,"target":{"file":"ql/src/java/org/apache/hadoop/hive/ql/exec/SerializationUtilities.java"},"signature_type":"Line"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.0.0-alpha1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H"}]}