CVE-2020-1926
Apache Hive Information Exposure and Observable Timing Discrepancy
5.9
MEDIUM
CVSS 3.1
EPSS 0.48%
Description
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
How to fix CVE-2020-1926
To remediate CVE-2020-1926, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.8 or later
Is CVE-2020-1926 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.3.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |