Description
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8
Remediation
References
https://issues.apache.org/jira/browse/HIVE-22708
https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
Related Vulnerabilities
CVE-2023-49735 Vulnerability in maven package org.apache.tiles:tiles-core
CVE-2021-27290 Vulnerability in npm package ssri
CVE-2023-30533 Vulnerability in npm package xlsx
CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on
CVE-2023-44981 Vulnerability in maven package org.apache.zookeeper:zookeeper