CVE-2020-1926 — Observable Timing Discrepancy in Software Foundation Apache Hive

CWE-208 — Observable Timing Discrepancy CWE-203 — Observable Discrepancy CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.5%

top 34.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Hive Apache Hive

Timeline

PublishedMar 16

Latest updateFeb 9

Description

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/hive< 2.3.8

▶CVEListV5apache_software_foundation/apache_hiveApache Hive — 2.3.8

Patches

Patch: issues.apache.org ↗Patch: lists.apache.org ↗Patch: issues.apache.org ↗

🔴Vulnerability Details

OSV

Apache Hive Information Exposure and Observable Timing Discrepancy↗2022-02-09

▶

GHSA

Apache Hive Information Exposure and Observable Timing Discrepancy↗2022-02-09

▶

CVEList

Timing attack in Cookie signature verification↗2021-03-16

▶