CVE-2024-29869: 
Java vulnerability analysis and mitigation

Apache Hive versions 1.1.0 through 4.0.0 contain a security vulnerability (CVE-2024-29869) where the software creates credentials files with overly permissive default permissions (644) in temporary directories when file permissions are not explicitly set. This vulnerability was discovered in January 2025 and affects all Apache Hive installations where custom file permissions are not configured (Apache Security).

The vulnerability stems from Apache Hive's credential file handling mechanism where temporary credential files are created with default Unix permissions of 644 (readable by all users) when permissions are not explicitly specified. This is tracked as CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability has received a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required but the potential for high confidentiality impact (NVD Database).

The vulnerability allows any unauthorized user with access to the temporary directory to read sensitive information stored in the credentials files. This could potentially lead to the exposure of authentication credentials and other sensitive data used by Hive for data lake operations (Security Online).

Users are strongly recommended to upgrade to Apache Hive version 4.0.1, which fixes this vulnerability by implementing proper file permission controls. The fix includes modifications to the SecureCmdDoAs implementation to ensure appropriate file permissions are set (Apache Security, GitHub Commit).