CVE-2020-1926

MEDIUM5.9EPSS 0.48%

Apache Hive Information Exposure and Observable Timing Discrepancy

Published: 2/9/2022Modified: 11/8/2023

Description

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

Affected packages (1)

Maven/org.apache.hive:hivefrom 0, < 2.3.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1926
WEBhttps://issues.apache.org/jira/browse/HIVE-22708
WEBhttps://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E