VDB
CNVD-2025-05702
CNVD-2025-05702
PUBLISHED
CVSS 6.5 MEDIUM
Apache Hive是美国阿帕奇(Apache)基金会的一套基于Hadoop(分布式系统基础架构)的数据仓库软件。该软件提供了一个数据集成方法和一种高级的查询语言,以支持在Hadoop上进行大规模数据分析。 Apache Hive存在信任管理问题漏洞,该漏洞源于使用Arrays.equals方法比较消息签名时未采用恒定时间算法,攻击者可利用该漏洞逐字节伪造有效签名。
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Hive | 2.2.0 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2024-23953 (circl-sighting)
- CIRCL seen: CVE-2024-23953 (circl-sighting)
- http://www.openwall.com/lists/oss-security/2025/01/28/3 (circl)
- https://github.com/apache/hive/commit/b418e3c9f479ba8e7d31e6470306111002ffa809 (circl)
- https://issues.apache.org/jira/browse/HIVE-28030 (circl)
- https://blog.gypsyengineer.com/en/security/preventing-timing-attacks-with-codeql.html (circl)
- https://cqr.company/web-vulnerabilities/timing-attacks/ (circl)
- https://lists.apache.org/thread/0nloywj49nbtlc6l3c6363qvq7o1ztb7 (circl)
- https://github.com/apache/hive (circl)
- CIRCL seen: CVE-2024-23953 (circl-sighting)
…and 7 more exploits
Timeline
- Jan 28, 2025 CVE Published
- Jan 28, 2025 PoC Published
- Jan 28, 2025 PoC Published
- Jan 28, 2025 PoC Published
- Jan 28, 2025 PoC Published
- Jan 28, 2025 PoC Published
- Jan 28, 2025 PoC Published
- Jan 31, 2025 PoC Published
- Jan 31, 2025 PoC Published
- Feb 3, 2025 PoC Published
- May 30, 2025 PoC Published
References
- https://github.com/apache/hive url
- https://github.com/apache/hive/commit/b418e3c9f479ba8e7d31e6470306111002ffa809 patch
- https://issues.apache.org/jira/browse/HIVE-28030 issue
- https://blog.gypsyengineer.com/en/security/preventing-timing-attacks-with-codeql.html url
- https://cqr.company/web-vulnerabilities/timing-attacks/ url
- https://lists.apache.org/thread/0nloywj49nbtlc6l3c6363qvq7o1ztb7 vendor-advisory
- http://www.openwall.com/lists/oss-security/2025/01/28/3 url