5.9
MEDIUM
CVE-2024-23945
Apache Hive Cookie Signature Exposure
Description

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12

INFO

Published Date :

Dec. 23, 2024, 4:15 p.m.

Last Modified :

July 14, 2025, 6:32 p.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

3.6

Exploitability Score :

2.2
Affected Products

The following products are affected by CVE-2024-23945 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache spark
2 Apache hive
: Total Affected Vendor : 1 | Products : 2
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-23945.

URL Resource
https://github.com/apache/hive Product
https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4 Patch
https://github.com/apache/spark Product
https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Patch
https://issues.apache.org/jira/browse/HIVE-9710 Exploit Issue Tracking Patch Vendor Advisory
https://issues.apache.org/jira/browse/SPARK-14987 Patch Vendor Advisory
https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc Mailing List Vendor Advisory
https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/23/2 Mailing List Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-23945 vulnerability anywhere in the article.

  • Cybersecurity News
CVE-2024-43452: PoC Exploit Released for Windows Elevation of Privilege Bug

Security researchers published the technical details and a proof-of-concept (PoC) exploit code for CVE-2024-43452 (CVSS 7.5), a Windows Registry Elevation of Privilege vulnerability. Reported by Mateu ... Read more

Published Date: Jan 06, 2025 (6 months, 1 week ago)
CVE-2024-9140 CVE-2024-9138 CVE-2024-23945 CVE-2024-43452
  • Cybersecurity News
CVE-2024-45387: PoC Published for Critical SQL Injection in Apache Traffic Control

Security researcher Abdelrhman Zayed, in collaboration with Mohamed Abdelhady, has published proof-of-concept (PoC) exploit code for CVE-2024-45387, a critical SQL injection vulnerability in Apache Tr ... Read more

Published Date: Dec 30, 2024 (6 months, 2 weeks ago)
CVE-2024-45387 CVE-2024-23945 CVE-2024-49112 CVE-2024-52335 CVE-2024-42327 CVE-2024-3584 CVE-2024-23832
  • TheCyberThrone
CVE-2024-52046 Impacts Apache Mina

CVE-2024-52046 is a critical security vulnerability found in the Apache MINA library. This vulnerability is located within the ObjectSerializationDecoder component, which uses Java’s native serializat ... Read more

Published Date: Dec 26, 2024 (6 months, 2 weeks ago)
CVE-2024-52046 CVE-2024-43441 CVE-2024-45387 CVE-2024-23945
  • TheCyberThrone
CVE-2024-43441Impacts Apache HugeGraph

CVE-2024-43441 is a critical vulnerability that impacts Apache HugeGraph-Server. This vulnerability allows attackers to bypass authentication mechanisms by exploiting assumed-immutable data. This can ... Read more

Published Date: Dec 26, 2024 (6 months, 2 weeks ago)
CVE-2024-43441 CVE-2024-45387 CVE-2024-23945
  • TheCyberThrone
CVE-2024-23945 Impacts Apache Hive and Spark

Apache Hive and Apache Spark have been impacted by a vulnerability CVE-2024-23945 with a CVSS score of 8.7.This vulnerability specifically targets the CookieSigner component, which is crucial for sign ... Read more

Published Date: Dec 25, 2024 (6 months, 2 weeks ago)
CVE-2024-45387 CVE-2024-23945 CVE-2021-44207
  • Cybersecurity News
CVE-2024-23945: Serious Vulnerability in Apache Hive and Spark Could Lead to Exploitation

A newly disclosed vulnerability, CVE-2024-23945, with a CVSS score of 8.7, has been identified in Apache Hive and Apache Spark, two widely used systems for large-scale data processing and analytics. T ... Read more

Published Date: Dec 25, 2024 (6 months, 2 weeks ago)
CVE-2024-23945 CVE-2024-55949 CVE-2024-53247 CVE-2024-52544 CVE-2024-39343 CVE-2024-42330

The following table lists the changes that have been made to the CVE-2024-23945 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jul. 14, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:* versions from (including) 1.2.0 up to (excluding) 4.0.0 *cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* versions from (including) 2.0.0 up to (excluding) 3.3.4 *cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.2 *cpe:2.3:a:apache:spark:3.5.0:*:*:*:*:*:*:*
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2024/12/23/2 Types: Mailing List, Third Party Advisory
    Added Reference Type Apache Software Foundation: https://github.com/apache/hive Types: Product
    Added Reference Type Apache Software Foundation: https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4 Types: Patch
    Added Reference Type Apache Software Foundation: https://github.com/apache/spark Types: Product
    Added Reference Type Apache Software Foundation: https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19 Types: Patch
    Added Reference Type Apache Software Foundation: https://issues.apache.org/jira/browse/HIVE-9710 Types: Exploit, Issue Tracking, Patch, Vendor Advisory
    Added Reference Type Apache Software Foundation: https://issues.apache.org/jira/browse/SPARK-14987 Types: Patch, Vendor Advisory
    Added Reference Type Apache Software Foundation: https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc Types: Mailing List, Vendor Advisory
    Added Reference Type Apache Software Foundation: https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc Types: Mailing List, Vendor Advisory
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Mar. 19, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
    Added CWE CWE-209
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 18, 2025

    Action Type Old Value New Value
    Removed CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 24, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 23, 2024

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2024/12/23/2
  • New CVE Received by [email protected]

    Dec. 23, 2024

    Action Type Old Value New Value
    Added Description Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12
    Added CWE CWE-209
    Added Reference https://github.com/apache/hive
    Added Reference https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4
    Added Reference https://github.com/apache/spark
    Added Reference https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19
    Added Reference https://issues.apache.org/jira/browse/HIVE-9710
    Added Reference https://issues.apache.org/jira/browse/SPARK-14987
    Added Reference https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc
    Added Reference https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-23945 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-23945 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
:
© cvefeed.io
Latest DB Update: Jul. 15, 2025 19:09