{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-24T02:44:32.775","vulnerabilities":[{"cve":{"id":"CVE-2025-62728","sourceIdentifier":"security@apache.org","published":"2025-11-26T09:15:46.293","lastModified":"2025-12-04T16:46:46.587","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false.\n\nThis issue affects Apache Hive: from 4.1.0 before 4.2.0.\n\nUsers are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public."},{"lang":"es","value":"Vulnerabilidad de inyección SQL en Hive Metastore Server (HMS) al procesar solicitudes de eliminación de estadísticas de columnas a través de las API T.hrift. La vulnerabilidad solo puede ser explotada por usuarios/aplicaciones de confianza/autorizados a los que se les permite llamar directamente a las API Thrift. En la mayoría de las implementaciones del mundo real, solo unas pocas aplicaciones (por ejemplo, Hiveserver2) pueden acceder a HMS, por lo que la vulnerabilidad no es explotable. Además, no se puede acceder al código vulnerable cuando la propiedad metastore.try.direct.sql está establecida en false. Este problema afecta a Apache Hive: desde la versión 4.1.0 hasta la 4.2.0. Se recomienda a los usuarios que actualicen a la versión 4.2.0, que corrige el problema. Se recomienda a los usuarios que no puedan actualizar directamente que establezcan la propiedad metastore.try.direct.sql en false si las API Thrift de HMS están expuestas al público en general."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:hive:4.1.0:*:*:*:*:*:*:*","matchCriteriaId":"40B6BA41-E7FC-4FFE-BEF8-62F1B668E8D1"}]}]}],"references":[{"url":"https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g","source":"security@apache.org","tags":["Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2025/11/26/3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}