CVE-2020-1926 — MEDIUM (5.9)

Q: How severe is CVE-2020-1926?

CVE-2020-1926 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-1926?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Hive.

Vulnerability Description

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Hive	< 2.3.8

Related Weaknesses (CWE)

CWE-208 CWE-203

References

https://issues.apache.org/jira/browse/HIVE-22708Issue TrackingPatchVendor Advisory
https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e1154Mailing ListPatchVendor Advisory
https://issues.apache.org/jira/browse/HIVE-22708Issue TrackingPatchVendor Advisory
https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e1154Mailing ListPatchVendor Advisory

FAQ

What is CVE-2020-1926?

CVE-2020-1926 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue ...

How severe is CVE-2020-1926?

CVE-2020-1926 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-1926?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Hive.