SCA: security update for org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver_2.12 (GHSA-77pm-w3hx-f8mj)

high Tenable Self-Hosted Container Security Plugin ID 411910

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Signing cookies is an application security feature that adds a digital signature to cookie data to verify
its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie
value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component
accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the
current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The
vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by
SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service *
org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12
(CVE-2024-23945)

See Also

https://github.com/advisories/GHSA-77pm-w3hx-f8mj

Plugin Details

Severity: High

ID: 411910

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-23945

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 8.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/23/2024

Vulnerability Publication Date: 12/23/2024

Reference Information

CVE: CVE-2024-23945

cwe: CWE-209