Lucene search
Veracode Vulnerability DatabaseVERACODE:34138HistoryFeb 11, 2022 - 4:56 a.m.
Information Disclosure
2022-02-1104:56:05
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
11
0.001 Low
EPSS
Percentile
29.4%
hive-service is vulnerable to information disclosure. The vulnerability exists because the verifyAndExtract function of CookieSigner.java uses a constant-time comparison for cookie signature verification, allowing an attacker to recover another user’s cookie signature.
| CPE | Name | Operator | Version |
|---|---|---|---|
| hive service | eq | 1.2.2 | |
| hive service | le | 2.3.7 | |
| hive service | le | 2.1.0 | |
| hive service | le | 3.1.2 | |
| hive service | eq | 1.2.2 | |
| hive service | le | 2.3.7 | |
| hive service | le | 2.1.0 | |
| hive service | le | 3.1.2 |
References
github.com/advisories/GHSA-54g4-5cf6-hjp3
github.com/apache/hive/commit/ee5a6be81a87bb21b3779edad6e61b67b365997b
github.com/apache/spark/pull/27273
issues.apache.org/jira/browse/HIVE-22708
lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
lists.apache.org/thread/o4ypc8tym2dcphv0tm10npz8fvg97z11
Related
cve
cve
CVE-2020-1926
2021-03-16 13:15:11
osv
osv
Apache Hive Information Exposure and Observable Timing Discrepancy
2022-02-09 00:48:54
CVE-2020-1926
2021-03-16 13:15:11
cvelist
cvelist
CVE-2020-1926 Timing attack in Cookie signature verification
2021-03-16 13:00:16
nvd
nvd
CVE-2020-1926
2021-03-16 13:15:11
prion
prion
Code injection
2021-03-16 13:15:00
github
github
Apache Hive Information Exposure and Observable Timing Discrepancy
2022-02-09 00:48:54
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00