hive-service is vulnerable to information disclosure. The vulnerability exists because the verifyAndExtract
function of CookieSigner.java
uses a constant-time comparison for cookie signature verification, allowing an attacker to recover another user’s cookie signature.
CPE | Name | Operator | Version |
---|---|---|---|
hive service | eq | 1.2.2 | |
hive service | le | 2.3.7 | |
hive service | le | 2.1.0 | |
hive service | le | 3.1.2 | |
hive service | eq | 1.2.2 | |
hive service | le | 2.3.7 | |
hive service | le | 2.1.0 | |
hive service | le | 3.1.2 |
github.com/advisories/GHSA-54g4-5cf6-hjp3
github.com/apache/hive/commit/ee5a6be81a87bb21b3779edad6e61b67b365997b
github.com/apache/spark/pull/27273
issues.apache.org/jira/browse/HIVE-22708
lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
lists.apache.org/thread/o4ypc8tym2dcphv0tm10npz8fvg97z11