You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/04/23 13:35:00 UTC

[jira] [Work logged] (HIVE-27287) Upgrade Commons-text to 1.10.0 to fix CVE

     [ https://issues.apache.org/jira/browse/HIVE-27287?focusedWorklogId=858641&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-858641 ]

ASF GitHub Bot logged work on HIVE-27287:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Apr/23 13:34
            Start Date: 23/Apr/23 13:34
    Worklog Time Spent: 10m 
      Work Description: Aggarwal-Raghav opened a new pull request, #4260:
URL: https://github.com/apache/hive/pull/4260

   ### What changes were proposed in this pull request?
   Upgrade Commons-text to 1.10.0 because of [CVE-2022-42889](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889)
   
   ### Why are the changes needed?
   Apache Commons Text versions prior to 1.8 is vulnerable to [CVE-2022-42889](https://nvd.nist.gov/vuln/detail/CVE-2022-42889), which involves potential script execution when processing untrusted input using StringLookup. Direct and transitive references to Apache Commons Text prior to 1.10.0 should be upgraded to avoid the default interpolation behaviour.
   
   
   ### Does this PR introduce _any_ user-facing change?
   NO
   
   
   ### How was this patch tested?
   On Local Machine
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 858641)
    Remaining Estimate: 0h
            Time Spent: 10m

> Upgrade Commons-text to 1.10.0 to fix CVE
> -----------------------------------------
>
>                 Key: HIVE-27287
>                 URL: https://issues.apache.org/jira/browse/HIVE-27287
>             Project: Hive
>          Issue Type: Improvement
>            Reporter: Raghav Aggarwal
>            Assignee: Raghav Aggarwal
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Apache Commons Text versions prior to 1.8 is vulnerable to [CVE-2022-42889|https://nvd.nist.gov/vuln/detail/CVE-2022-42889], which involves potential script execution when processing untrusted input using {{{}StringLookup{}}}. Direct and transitive references to Apache Commons Text prior to 1.10.0 should be upgraded to avoid the default interpolation behaviour.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)