Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data.

In real deployments, the vulnerability can be exploited only by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

Affected Packages

Maven org.apache.hive:hive-exec

Affected versions: 4.0.0-alpha-1 (fixed in 4.0.0-alpha-2)

Related CVEs

CVE-2022-41137

Key Information

GHSA ID

GHSA-6hqr-c69m-r76q

Published

December 5, 2024 12:31 PM

Last Modified

December 5, 2024 7:57 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.hive:hive-exec

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 26, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.