Cyber Resilience

CVE-2022-41137

HighRCE

Published: 05 December 2024

Published
05 December 2024
Modified
15 July 2025
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0819 92.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41137 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Hive. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Hive Metastore (HMS) is affected by an unsafe deserialization flaw tracked as CVE-2022-41137. The component SerializationUtilities#deserializeObjectWithTypeInformation is invoked during partition filtering and retrieval operations, permitting deserialization of attacker-controlled data without sufficient type checks or validation and resulting in remote code execution. The issue is classified under CWE-502 and carries a CVSS 3.1 score of 8.3.

Only authenticated clients that have already established a connection to the Metastore can trigger the flaw. Successful exploitation allows the attacker to execute arbitrary code on the server; any caller of the unsafe method is exposed unless it implements its own input validation beforehand.

Public references point to a fix committed in the Apache Hive repository and tracked under HIVE-26539, along with coordinated disclosure through the Apache mailing lists and Openwall. The patch addresses the deserialization path, and operators are advised to apply the update or ensure callers perform explicit argument checks before invoking the method.

EPSS scores have remained low throughout the observation window, indicating limited observed exploitation activity to date.

EU & UK References

Vulnerability details

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) since it allows the deserialization of arbitrary data. In real deployments, the vulnerability can be exploited only…

more

by authenticated users/clients that were able to successfully establish a connection to the Metastore. From an API perspective any code that calls the unsafe method may be vulnerable unless it performs additional prerechecks on the input arguments.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
hive
4.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References