CVE-2024-23945

CVSS V2 None CVSS V3 None

Description

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12

Overview

CVE ID
CVE-2024-23945

Assigner
apache

Vulnerability Status
PUBLISHED

Published Version
2024-12-23T15:26:54.477Z

Last Modified Date
2024-12-24T01:51:23.147Z

Weakness Enumerations

CWE	URL
CWE-209	http://cwe.mitre.org/data/definitions/209.html

References

Reference URL	Reference Tags
https://github.com/apache/hive	product
https://github.com/apache/spark	product
https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19	patch
https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4	patch
https://issues.apache.org/jira/browse/HIVE-9710
https://issues.apache.org/jira/browse/SPARK-14987
https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc	vendor-advisory
https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc	vendor-advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-23945
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23945

History

Created	Old Value	New Value	Data Type	Notes
2024-12-24 13:10:26				Added to TrackCVE