5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23945

GHSA ID

GHSA-77pm-w3hx-f8mj

EPSS Score

0.75277%

CWE

CWE-209

Published

12/23/2024

Updated

12/26/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23945

CVE-2024-23945: Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation.

The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following:

org.apache.hive:hive-service
org.apache.spark:spark-hive-thriftserver_2.11
org.apache.spark:spark-hive-thriftserver_2.12

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-23945

GHSA ID

GHSA-77pm-w3hx-f8mj

EPSS Score

0.75277%

CWE

CWE-209

Published

12/23/2024

Updated

12/26/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.hive:hive-service	maven	>= 1.2.0, < 4.0.0	4.0.0
org.apache.spark:spark-hive-thriftserver_2.11	maven	<= 2.4.8
org.apache.spark:spark-hive-thriftserver_2.12	maven	< 3.4.2	3.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from error message generation in the CookieSigner's.verifyAndExtract method. Both Hive and Spark implementations originally included the originalSignature (correct signature) in exception messages when signature validation failed, as shown in the commit diffs. This violates CWE-209 by exposing cryptographic material through error messages. The patches (7638cb1 for Hive, cf59b1f for Spark) explicitly remove the sensitive signature details from error messages, confirming these functions as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Si*nin* *ooki*s is *n *ppli**tion s**urity ***tur* t**t ***s * *i*it*l si*n*tur* to *ooki* **t* to v*ri*y its *ut**nti*ity *n* int**rity. T** si*n*tur* **lps pr*v*nt m*li*ious **tors *rom mo*i*yin* t** *ooki* v*lu*, w*i** **n l*** to s**urity vuln*r*

Reasoning

T** vuln*r**ility st*ms *rom *rror m*ss*** **n*r*tion in t** `*ooki*Si*n*r's.v*ri*y*n**xtr**t` m*t*o*. *ot* *iv* *n* Sp*rk impl*m*nt*tions ori*in*lly in*lu*** t** `ori*in*lSi*n*tur*` (*orr**t si*n*tur*) in *x**ption m*ss***s w**n si*n*tur* v*li**tion

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-23945: Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI