Application Security Flaw in Apache Hive and Spark Affecting Cookie Signature Verification

CVE-2024-23945

Currently unrated 🤨

Key Information

Vendor
Apache
Status
Apache Hive
Apache Spark
Vendor
CVE Published:
23 December 2024

Summary

An application security flaw exists in Apache Hive and Apache Spark concerning the improper handling of signed cookies. This vulnerability allows an incorrect signature mismatch to expose the signed cookie to users, potentially enabling malicious actors to alter the cookie's value. The vulnerability traces back to the CookieSigner logic introduced in Apache Hive via HIVE-9710 starting from version 1.2.0 and in Apache Spark through SPARK-14987 from version 2.0.0. The exposure of these cookies can result in unauthorized access and further exploitation of the application, raising significant security concerns for users relying on these platforms.

Affected Version(s)

Apache Hive < 4.0.0

Apache Spark < 3.0.0

Apache Spark < 3.3.4

References

https://github.com/apache/hive
product
https://github.com/apache/spark
product
https://github.com/apache/spark/commit/cf59b1f51c16301f68...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Kostya Kortchinsky
Hamza Tahmi
.