cnvd - cnvd-2021-29476

cnvd-2021-29476

Vulnerability from cnvd

Title: Apache Hive信息泄露漏洞（CNVD-2021-29476）

Description:

Apache Hive是美国阿帕奇Apache基金会的一套基于Hadoop（分布式系统基础架构）的数据仓库软件。该软件提供了一个数据集成方法和一种高级的查询语言，以支持在Hadoop上进行大规模数据分析。

Apache Hive 2.3.8之前版本存在信息泄露漏洞，该漏洞源于Apache Hive Cookie签名验证使用了非恒定时间比较，攻击可利用此漏洞允许恢复其他用户的cookie签名。

Severity: 中

Patch Name: Apache Hive信息泄露漏洞（CNVD-2021-29476）的补丁

Patch Description:

Apache Hive 2.3.8之前版本存在信息泄露漏洞，该漏洞源于Apache Hive Cookie签名验证使用了非恒定时间比较，攻击可利用此漏洞允许恢复其他用户的cookie签名。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新：https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-1926

Impacted products

Name
Apache Hive <2.3.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-1926",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-1926"
    }
  },
  "description": "Apache Hive\u662f\u7f8e\u56fd\u963f\u5e15\u5947Apache\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u57fa\u4e8eHadoop\uff08\u5206\u5e03\u5f0f\u7cfb\u7edf\u57fa\u7840\u67b6\u6784\uff09\u7684\u6570\u636e\u4ed3\u5e93\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u4e86\u4e00\u4e2a\u6570\u636e\u96c6\u6210\u65b9\u6cd5\u548c\u4e00\u79cd\u9ad8\u7ea7\u7684\u67e5\u8be2\u8bed\u8a00\uff0c\u4ee5\u652f\u6301\u5728Hadoop\u4e0a\u8fdb\u884c\u5927\u89c4\u6a21\u6570\u636e\u5206\u6790\u3002\n\nApache Hive 2.3.8\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Hive Cookie\u7b7e\u540d\u9a8c\u8bc1\u4f7f\u7528\u4e86\u975e\u6052\u5b9a\u65f6\u95f4\u6bd4\u8f83\uff0c\u653b\u51fb\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5141\u8bb8\u6062\u590d\u5176\u4ed6\u7528\u6237\u7684cookie\u7b7e\u540d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-29476",
  "openTime": "2021-04-19",
  "patchDescription": "Apache Hive\u662f\u7f8e\u56fd\u963f\u5e15\u5947Apache\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u57fa\u4e8eHadoop\uff08\u5206\u5e03\u5f0f\u7cfb\u7edf\u57fa\u7840\u67b6\u6784\uff09\u7684\u6570\u636e\u4ed3\u5e93\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u4e86\u4e00\u4e2a\u6570\u636e\u96c6\u6210\u65b9\u6cd5\u548c\u4e00\u79cd\u9ad8\u7ea7\u7684\u67e5\u8be2\u8bed\u8a00\uff0c\u4ee5\u652f\u6301\u5728Hadoop\u4e0a\u8fdb\u884c\u5927\u89c4\u6a21\u6570\u636e\u5206\u6790\u3002\r\n\r\nApache Hive 2.3.8\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Hive Cookie\u7b7e\u540d\u9a8c\u8bc1\u4f7f\u7528\u4e86\u975e\u6052\u5b9a\u65f6\u95f4\u6bd4\u8f83\uff0c\u653b\u51fb\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5141\u8bb8\u6062\u590d\u5176\u4ed6\u7528\u6237\u7684cookie\u7b7e\u540d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Hive\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-29476\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Hive  \u003c2.3.8"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-1926",
  "serverity": "\u4e2d",
  "submitTime": "2021-03-17",
  "title": "Apache Hive\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-29476\uff09"
}

CVE-2020-1926 (GCVE-0-2020-1926)

Vulnerability from cvelistv5

Published

2021-03-16 13:00

Modified

2025-02-13 16:27

Severity ?

CWE

CWE-208 - Information Exposure Through Timing Discrepancy

Summary

Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8

References

▼	URL	Tags
	https://issues.apache.org/jira/browse/HIVE-22708	x_refsource_MISC
	https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Hive	Version: Apache Hive < 2.3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:54:00.358Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/HIVE-22708"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Hive",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.3.8",
              "status": "affected",
              "version": "Apache Hive",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Hive would like to thank S. Wasin for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Information Exposure Through Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-04T06:54:56.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.apache.org/jira/browse/HIVE-22708"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E"
        }
      ],
      "source": {
        "defect": [
          "HIVE-22708"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Timing attack in Cookie signature verification",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-1926",
          "STATE": "PUBLIC",
          "TITLE": "Timing attack in Cookie signature verification"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Hive",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Hive",
                            "version_value": "2.3.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Hive would like to thank S. Wasin for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-208 Information Exposure Through Timing Discrepancy"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://issues.apache.org/jira/browse/HIVE-22708",
              "refsource": "MISC",
              "url": "https://issues.apache.org/jira/browse/HIVE-22708"
            },
            {
              "name": "https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E"
            }
          ]
        },
        "source": {
          "defect": [
            "HIVE-22708"
          ],
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-1926",
    "datePublished": "2021-03-16T13:00:16.000Z",
    "dateReserved": "2019-12-02T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:27:38.760Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted