CVE-2024-23945Information Exposure via Error Message in Software Foundation Apache Hive

CWE-209Information Exposure via Error Message5 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
6.5%
top 8.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache Software Foundation Apache HiveApache Software Foundation Apache SparkApache Hive+1 more
Timeline
PublishedDec 23

Description

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

NVDapache/hive1.2.04.0.0
NVDapache/spark2.0.03.3.4+2
CVEListV5apache_software_foundation/apache_hive1.2.04.0.0
CVEListV5apache_software_foundation/apache_spark2.0.03.0.0+3

Patches

Patch: github.comPatch: github.comPatch: issues.apache.org

🔴Vulnerability Details

3
CVEList
Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails2024-12-23
OSV
Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails2024-12-23
GHSA
Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails2024-12-23

📋Vendor Advisories

1
Red Hat
Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails2024-12-23
CVE-2024-23945 — Information Exposure via Error Message | cvebase