CVE-2020-1926

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-1926

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-1926.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-1926

Aliases

GHSA-54g4-5cf6-hjp3

Published

2021-03-16T13:15:11Z

Modified

2024-10-12T06:19:29.003670Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

References

Affected packages

Git / github.com/apache/hive

Affected ranges

Type: GIT
Repo: https://github.com/apache/hive
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f1e87137034e4ecbe39a859d4ef44319800016d7

Affected versions

rel/release-2.*

rel/release-2.3.0

rel/release-2.3.1

rel/release-2.3.2

rel/release-2.3.4

rel/release-2.3.5

rel/release-2.3.6

rel/release-2.3.7

release-2.*

release-2.3.5-rc0

release-2.3.8-rc0

release-2.3.8-rc1

release-2.3.8-rc2