CVE-2024-23945

CVSS 3.1 Score 5.9 of 10 (medium)

Details

Published Dec 23, 2024
Updated: Dec 24, 2024
CWE ID 209

Summary

CVE-2024-23945 is a vulnerability affecting Apache Hive and Spark components. These components, specifically org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver_2.11, and org.apache.spark:spark-hive-thriftserver_2.12, inadvertently expose signed cookies to end users when there's a signature mismatch. Signed cookies are essential for maintaining cookie data authenticity and integrity, but exposing the correct signature can lead to further exploitation. This issue was introduced in Apache Hive with HIVE-9710 (1.2.0) and in Apache Spark with SPARK-14987 (2.0.0).

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Apache Spark
  • Apache Hive

Affected Vendors

  • Apache Software Foundation