Description
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
References (2)
Core 2
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/HIVE-22708
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
Scores
CVSS v3
5.9
EPSS
0.0246
EPSS Percentile
82.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-208
CWE-203
Status
published
Products (2)
apache/hive
< 2.3.8
org.apache.hive/hive
0 - 2.3.8Maven
Published
Mar 16, 2021
Tracked Since
Feb 18, 2026