CVE-2024-23945

Name: CVE-2024-23945
Creator: NVD / NIST
Published: 2024-12-23T16:15:05.59+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 1.47%

Last modified Jun 17, 2026

CVE-2024-23945 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. EPSS estimates a 1.47% chance of exploitation in the next 30 days.

Description

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

1.47%

70.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Hive	>= 1.2.0, < 4.0.0
Apache	Spark	>= 2.0.0, < 3.3.4
Apache	Spark	>= 3.4.0, < 3.4.2
Apache	Spark	3.5.0

References

https://github.com/apache/hiveProduct
https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4Patch
https://github.com/apache/sparkProduct
https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19Patch
https://issues.apache.org/jira/browse/HIVE-9710Exploit, Issue Tracking, Patch, Vendor Advisory
https://issues.apache.org/jira/browse/SPARK-14987Patch, Vendor Advisory
https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzcMailing List, Vendor Advisory
https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfcMailing List, Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/23/2Mailing List, Third Party Advisory

Timeline

Published: Dec 23, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-23945?

How severe is CVE-2024-23945?

CVE-2024-23945 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 1.47% probability of exploitation in the next 30 days.

How do I fix CVE-2024-23945?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-23945?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST