Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU0ZzQtNWNmNi1oanAz
Apache Hive Information Exposure and Observable Timing Discrepancy
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
Permalink: https://github.com/advisories/GHSA-54g4-5cf6-hjp3JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU0ZzQtNWNmNi1oanAz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-54g4-5cf6-hjp3, CVE-2020-1926
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1926
- https://issues.apache.org/jira/browse/HIVE-22708
- https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
- https://github.com/advisories/GHSA-54g4-5cf6-hjp3
Affected Packages
maven:org.apache.hive:hive
Dependent packages: 2Dependent repositories: 7
Downloads:
Affected Version Ranges: < 2.3.8
Fixed in: 2.3.8
All affected versions: 0.13.0, 0.13.1, 0.14.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7
All unaffected versions: 2.3.8, 2.3.9, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0