CVE-2024-23945
Published: 23 December 2024
Summary
CVE-2024-23945 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Apache Spark. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-23945 affects the cookie signing logic in Apache Hive’s service component (org.apache.hive:hive-service) and the corresponding Spark Hive Thriftserver modules (spark-hive-thriftserver_2.11 and _2.12). The flaw, introduced by HIVE-9710 in Hive 1.2.0 and SPARK-14987 in Spark 2.0.0, causes the correct signed cookie value to be returned to a client whenever a signature mismatch occurs between the supplied and expected cookie, exposing the signature that is otherwise intended to protect integrity.
An unauthenticated remote attacker can trigger the mismatch condition over the network to obtain a valid cookie signature. With the signature in hand, the attacker can forge or modify subsequent cookies, achieving integrity violations that the signing mechanism was designed to prevent. The CVSS 5.9 rating reflects the high attack complexity required to reach this outcome despite the absence of required credentials.
Public references point to corrective commits in the Hive and Spark repositories that address the exposure in the CookieSigner path. The EPSS score reached a peak of 0.0852 after disclosure, indicating a measurable increase in observed exploitation interest from an initially low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3564
Vulnerability details
Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation.…
more
Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects error messages that leak sensitive information as evidence of disclosure.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.
Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.
Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.
Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.