CVE-2020-1926

MEDIUM

Apache Hive <2.3.8 - Info Disclosure

Title source: llm

Description

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

References (2)

[Issue Tracking, Patch, Vendor Advisory] https://issues.apache.org/jira/browse/HIVE-22708

[Mailing List, Patch, Vendor Advisory] https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E

Scores

CVSS v3 5.9

EPSS 0.0048

EPSS Percentile 65.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-208 CWE-203

Status published

Products (2)

apache/hive < 2.3.8

org.apache.hive/hive 0 - 2.3.8Maven

Published Mar 16, 2021

Tracked Since Feb 18, 2026