CVE-2024-23953

CWE-208 CWE-2904 documents4 sources

Severity

6.5MEDIUM

EPSS

1.5%

top 18.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Hive Apache Hive

Timeline

PublishedJan 28

Description

Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an authorized user of the product to perform this attack. Users are recommended to upgrade to version 4.0.0, which fixes this issue. The problem occurs when an application doesn’t use a constant-time algorithm for validating a signature. The method Arrays.equals() returns false right away when it sees that …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.hive:hive-llap-common< 4.0.0

▶NVDapache/hive2.2.0 — 4.0.0

▶CVEListV5apache_software_foundation/apache_hive2.2.0 — 4.0.0

Patches

Patch: github.com ↗Patch: issues.apache.org ↗

🔴Vulnerability Details

GHSA

Apache Hive vulnerable to Observable Timing Discrepancy and Authentication Bypass by Spoofing↗2025-01-28

▶

OSV

Apache Hive vulnerable to Observable Timing Discrepancy and Authentication Bypass by Spoofing↗2025-01-28

▶

CVEList

Apache Hive: Timing Attack Against Signature in LLAP util↗2025-01-28

▶