Home > Vulnerability Database > CVE-2020-1926

Mend.io Vulnerability Database

CVE-2020-1926

Good to know:

Date: March 16, 2021

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

Language: Java

Severity Score

5.9

Related Resources (4)

Url: https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-1926

Url: https://issues.apache.org/jira/browse/HIVE-22708

Url: https://www.mend.io/vulnerability-database/CVE-2020-1926

Severity Score

5.9

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Observable Discrepancy

CWE-203

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version org.apache.hive:hive-service:2.3.8

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-1926

Good to know:

Date: March 16, 2021

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?