[jira] [Commented] (HIVE-16035) Investigate potential SQL injection vulnerability in Hive
[ https://issues.apache.org/jira/browse/HIVE-16035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15883568#comment-15883568 ] Vihang Karajgaonkar commented on HIVE-16035: Thanks [~thejas] I was not aware. I tried closing this but there is no "close" option. Resolved it as Invalid for now. > Investigate potential SQL injection vulnerability in Hive > - > > Key: HIVE-16035 > URL: https://issues.apache.org/jira/browse/HIVE-16035 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Vihang Karajgaonkar >Assignee: Vihang Karajgaonkar > > Some of the queries in ObjectStore and MetastoreDirectSql classes append > Strings variables directly to the query text. This JIRA is to investigate the > possible vulnerabilities and fix them using parameterized queries. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (HIVE-16035) Investigate potential SQL injection vulnerability in Hive
[ https://issues.apache.org/jira/browse/HIVE-16035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15883543#comment-15883543 ] Thejas M Nair commented on HIVE-16035: -- [~vihangk1] Please see - https://www.apache.org/security/committers.html TLDR - Security vulnerabilities should not be investigated/discussed in public until a fix is out. Please involve security mailing list secur...@hive.apache.org if you suspect there is an issue or to report one. I think its better to close this jira and follow this process. > Investigate potential SQL injection vulnerability in Hive > - > > Key: HIVE-16035 > URL: https://issues.apache.org/jira/browse/HIVE-16035 > Project: Hive > Issue Type: Bug > Components: Hive >Reporter: Vihang Karajgaonkar >Assignee: Vihang Karajgaonkar > > Some of the queries in ObjectStore and MetastoreDirectSql classes append > Strings variables directly to the query text. This JIRA is to investigate the > possible vulnerabilities and fix them using parameterized queries. -- This message was sent by Atlassian JIRA (v6.3.15#6346)