Cyber Resilience

CVE-2024-23945

MediumPublic PoC

Published: 23 December 2024

Published
23 December 2024
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0646 91.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23945 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Apache Spark. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-23945 affects the cookie signing logic in Apache Hive’s service component (org.apache.hive:hive-service) and the corresponding Spark Hive Thriftserver modules (spark-hive-thriftserver_2.11 and _2.12). The flaw, introduced by HIVE-9710 in Hive 1.2.0 and SPARK-14987 in Spark 2.0.0, causes the correct signed cookie value to be returned to a client whenever a signature mismatch occurs between the supplied and expected cookie, exposing the signature that is otherwise intended to protect integrity.

An unauthenticated remote attacker can trigger the mismatch condition over the network to obtain a valid cookie signature. With the signature in hand, the attacker can forge or modify subsequent cookies, achieving integrity violations that the signing mechanism was designed to prevent. The CVSS 5.9 rating reflects the high attack complexity required to reach this outcome despite the absence of required credentials.

Public references point to corrective commits in the Hive and Spark repositories that address the exposure in the CookieSigner path. The EPSS score reached a peak of 0.0852 after disclosure, indicating a measurable increase in observed exploitation interest from an initially low baseline.

EU & UK References

Vulnerability details

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation.…

more

Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
hive
1.2.0 — 4.0.0
apache
spark
3.5.0 · 2.0.0 — 3.3.4 · 3.4.0 — 3.4.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

addresses: CWE-209

Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.

References