You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hive.apache.org by Chao Sun <su...@apache.org> on 2021/03/01 18:50:30 UTC

CVE-2020-1926: Timing attack in Cookie signature verification

Description:

Apache Hive cookie signature verification used a non constant time
comparison which is known to be vulnerable to timing attacks. This could
allow recovery of another users cookie signature. The issue was addressed
in Apache Hive 2.3.8

This issue is being tracked as HIVE-22708

Credit:

Apache Hive would like to thank S. Wasin for reporting this issue.

References:

https://issues.apache.org/jira/browse/HIVE-22708