Vulnerability Details CVE-2020-1926
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.7%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- https://issues.apache.org/jira/browse/HIVE-22708
- https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
- https://issues.apache.org/jira/browse/HIVE-22708
- https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
Products affected by CVE-2020-1926
-
cpe:2.3:a:apache:hive:0.10.0
-
cpe:2.3:a:apache:hive:0.11.0
-
cpe:2.3:a:apache:hive:0.12.0
-
cpe:2.3:a:apache:hive:0.13.0
-
cpe:2.3:a:apache:hive:0.13.1
-
cpe:2.3:a:apache:hive:0.14.0
-
cpe:2.3:a:apache:hive:0.3.0
-
cpe:2.3:a:apache:hive:0.4.0
-
cpe:2.3:a:apache:hive:0.4.1
-
cpe:2.3:a:apache:hive:0.5.0
-
cpe:2.3:a:apache:hive:0.6.0
-
cpe:2.3:a:apache:hive:0.7.0
-
cpe:2.3:a:apache:hive:0.7.1
-
cpe:2.3:a:apache:hive:0.8.0
-
cpe:2.3:a:apache:hive:0.8.1
-
cpe:2.3:a:apache:hive:0.9.0
-
cpe:2.3:a:apache:hive:1.0.0
-
cpe:2.3:a:apache:hive:1.0.1
-
cpe:2.3:a:apache:hive:1.1.0
-
cpe:2.3:a:apache:hive:1.1.1
-
cpe:2.3:a:apache:hive:1.2.0
-
cpe:2.3:a:apache:hive:1.2.1
-
cpe:2.3:a:apache:hive:1.2.2
-
cpe:2.3:a:apache:hive:2.0.0
-
cpe:2.3:a:apache:hive:2.0.1
-
cpe:2.3:a:apache:hive:2.1.0
-
cpe:2.3:a:apache:hive:2.1.1
-
cpe:2.3:a:apache:hive:2.2.0
-
cpe:2.3:a:apache:hive:2.2.1
-
cpe:2.3:a:apache:hive:2.3.0
-
cpe:2.3:a:apache:hive:2.3.1
-
cpe:2.3:a:apache:hive:2.3.2
-
cpe:2.3:a:apache:hive:2.3.3
-
cpe:2.3:a:apache:hive:2.3.4
-
cpe:2.3:a:apache:hive:2.3.5
-
cpe:2.3:a:apache:hive:2.3.6
-
cpe:2.3:a:apache:hive:2.3.7