Vulnerability Details CVE-2020-1926
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 49.3%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- https://issues.apache.org/jira/browse/HIVE-22708
- https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
- https://issues.apache.org/jira/browse/HIVE-22708
- https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
Products affected by CVE-2020-1926
-
cpe:2.3:a:apache:hive:0.10.0
-
cpe:2.3:a:apache:hive:0.11.0
-
cpe:2.3:a:apache:hive:0.12.0
-
cpe:2.3:a:apache:hive:0.13.0
-
cpe:2.3:a:apache:hive:0.13.1
-
cpe:2.3:a:apache:hive:0.14.0
-
cpe:2.3:a:apache:hive:0.3.0
-
cpe:2.3:a:apache:hive:0.4.0
-
cpe:2.3:a:apache:hive:0.4.1
-
cpe:2.3:a:apache:hive:0.5.0
-
cpe:2.3:a:apache:hive:0.6.0
-
cpe:2.3:a:apache:hive:0.7.0
-
cpe:2.3:a:apache:hive:0.7.1
-
cpe:2.3:a:apache:hive:0.8.0
-
cpe:2.3:a:apache:hive:0.8.1
-
cpe:2.3:a:apache:hive:0.9.0
-
cpe:2.3:a:apache:hive:1.0.0
-
cpe:2.3:a:apache:hive:1.0.1
-
cpe:2.3:a:apache:hive:1.1.0
-
cpe:2.3:a:apache:hive:1.1.1
-
cpe:2.3:a:apache:hive:1.2.0
-
cpe:2.3:a:apache:hive:1.2.1
-
cpe:2.3:a:apache:hive:1.2.2
-
cpe:2.3:a:apache:hive:2.0.0
-
cpe:2.3:a:apache:hive:2.0.1
-
cpe:2.3:a:apache:hive:2.1.0
-
cpe:2.3:a:apache:hive:2.1.1
-
cpe:2.3:a:apache:hive:2.2.0
-
cpe:2.3:a:apache:hive:2.2.1
-
cpe:2.3:a:apache:hive:2.3.0
-
cpe:2.3:a:apache:hive:2.3.1
-
cpe:2.3:a:apache:hive:2.3.2
-
cpe:2.3:a:apache:hive:2.3.3
-
cpe:2.3:a:apache:hive:2.3.4