CVE-2020-1926

MEDIUM

Apache Hive <2.3.8 - Info Disclosure

Title source: llm

Description

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

References (2)

[Issue Tracking, Patch, Vendor Advisory] https://issues.apache.org/jira/browse/HIVE-22708

[Mailing List, Patch, Vendor Advisory] https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E

Scores

CVSS v3 5.9

EPSS 0.0048

EPSS Percentile 64.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-208 CWE-203

Status published

Affected Products (2)

apache/hive < 2.3.8

org.apache.hive/hive < 2.3.8Maven

Timeline

Published Mar 16, 2021

Tracked Since Feb 18, 2026