CVE-2024-23945

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s servic...

OESA-2025-1039 spark security update

Apache Spark achieves high performance for both batch and streaming data, using a state-of-the-art DAG scheduler, a query optimizer, and a physical execution engine. Security Fixes: Signing cookies is an application security feature that adds a digital signature to cookie data to verify its...

GHSA-77PM-W3HX-F8MJ Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s servic...

co.elastic.release-test:dist (=9.0.4), co.elastic.release-test:elasticsearch-hadoop-hive (=9.0.4) +193 more potentially affected by CVE-2024-23945 via org.apache.hive:hive-service (>=1.2.0 <=4.0.0-beta-1)

org.apache.hive:hive-service MAVEN version =1.2.0, =5.0.0, =1.7.0, =3.0.0, =0.1.1, =2.0.1-preview, =2.0.0, =5.0.1 - com.hotels:mutant-swarm =1.1.0 - com.hotels:waggle-dance =4.0.0 - com.hotels:waggle-dance-boot =4.0.0 - com.hotels:waggle-dance-core =4.0.0 and more Source cves: CVE-2024-23945 Sour...

Information Disclosure

hive-service is vulnerable to information disclosure. The vulnerability exists because the verifyAndExtract function of CookieSigner.java uses a constant-time comparison for cookie signature verification, allowing an attacker to recover another user's cookie signature...

org.apache.hive:hive-beeline (=1.0.0), org.apache.hive:hive-jdbc (=1.0.0) potentially affected by CVE-2015-1772 via org.apache.hive:hive-service (=1.0.0)

org.apache.hive:hive-service MAVEN version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hive:hive-service and may be impacted: - org.apache.hive:hive-beeline =1.0.0 - org.apache.hive:hive-jdbc =1.0.0 Source cves: CVE-2015-1772 Sour...

com.huemulsolutions.bigdata:huemul-bigdatagovernance (>=1.1 <=2.1), com.thinkbiganalytics.kylo:kylo-kerberos-test-client (=0.10.0) +3 more potentially affected by CVE-2015-1772 via org.apache.hive:hive-service (=1.1.0)

org.apache.hive:hive-service MAVEN version =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hive:hive-service and may be impacted: - com.huemulsolutions.bigdata:huemul-bigdatagovernance =1.1, =2.1 -...

com.alibaba.blink:flink-hcatalog (>=blink-3.2.0 <=blink-3.7.0), com.datasalt.pangool:pangool-examples (>=0.60.0 <=0.70) +132 more potentially affected by CVE-2016-3083 via org.apache.hive:hive-service (>=0.10.0 <=1.2.1)

org.apache.hive:hive-service MAVEN version =0.10.0, =blink-3.2.0, =0.60.0, =1.0.1, =2.2.1, =2.2.2 - com.ge.research.semtk:nodeGroupExecutionService =2.2.2 - com.ge.research.semtk:nodeGroupService =2.2.2 - com.ge.research.semtk:nodeGroupStoreService =2.2.2 - com.ge.research.semtk:ontologyInfoServi...

com.webank.wedatasphere.dss:dolphinscheduler-prod-metrics (>=1.1.0 <=1.2.2), com.wgzhao.addax:hivereader (>=5.1.0 <=6.0.10) +28 more potentially affected by CVE-2017-12625 via org.apache.hive:hive-service (>=2.1.0 <=2.1.1)

org.apache.hive:hive-service MAVEN version =2.1.0, =1.1.0, =5.1.0, =1.15.4, =1.2.0, =2.0.1, =1.2.0, =1.2.0, =1.2.0, =2.0.1, =2.0.1, =3.0.0, =2.0.0, =3.0.0, =3.0.0, =3.0.6 and more Source cves: CVE-2017-12625 Source advisory: OSV:GHSA-2G9Q-CHQ2-W8QWhttps://vulners.com/osv/OSV:GHSA-2G9Q...

org.aksw.sparqlify:sparqlify-cli (=0.8.3), org.aksw.sparqlify:sparqlify-core (=0.8.3) +2 more potentially affected by CVE-2017-12625 via org.apache.hive:hive-service (=2.3.0)

org.apache.hive:hive-service MAVEN version =2.3.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hive:hive-service and may be impacted: - org.aksw.sparqlify:sparqlify-cli =0.8.3 - org.aksw.sparqlify:sparqlify-core =0.8.3 -...

com.mydataharbor:jdbc-hive-2.2.x-plugin (>=1.1.1 <=2.0.2) potentially affected by CVE-2017-12625 via org.apache.hive:hive-service (=2.2.0)

org.apache.hive:hive-service MAVEN version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hive:hive-service and may be impacted: - com.mydataharbor:jdbc-hive-2.2.x-plugin =1.1.1, =2.0.2 Source cves: CVE-2017-12625 Source advisory:...

com.ge.research.semtk:arangoDbService (=2.2.2), com.ge.research.semtk:athenaService (=2.2.2) +129 more potentially affected by CVE-2018-1314 via org.apache.hive:hive-jdbc (>=0.11.0 <=2.3.2)

org.apache.hive:hive-jdbc MAVEN version =0.11.0, =2.2.1, =2.2.1, =2.2.1, =2.2.2 - com.ge.research.semtk:sparqlGraphResultsService =2.2.2 and more Source cves: CVE-2018-1314 Source advisory: OSV:GHSA-JMF4-PQ78-F8VJ...

com.ge.research.semtk:arangoDbService (=2.2.2), com.ge.research.semtk:athenaService (=2.2.2) +135 more potentially affected by CVE-2018-1284 via org.apache.hive:hive-service (>=0.8.0 <=2.3.2)

org.apache.hive:hive-service MAVEN version =0.8.0, =2.2.1, =2.2.1, =2.2.1, =2.2.2 - com.ge.research.semtk:sparqlGraphResultsService =2.2.2 and more Source cves: CVE-2018-1284 Source advisory: OSV:GHSA-RXMR-C9JM-7MM8...

com.hotels:beeju (=4.0.1), com.mydataharbor:jdbc-hive-2.2.x-plugin (>=1.1.1 <=2.0.2) +44 more potentially affected by CVE-2018-1315 via org.apache.hive:hive-service (>=2.1.0 <=2.3.2)

org.apache.hive:hive-service MAVEN version =2.1.0, =1.1.1, =1.1.0, =5.1.0, =1.15.4, =0.9.1, =0.8.4, =0.8.3, =0.8.3, =0.8.3, =0.8.3, =1.2.0, =2.0.1, =1.2.0, =3.0.6 and more Source cves: CVE-2018-1315 Source advisory: OSV:GHSA-P639-XXV5-J383...

com.ge.research.semtk:arangoDbService (=2.2.2), com.ge.research.semtk:athenaService (=2.2.2) +68 more potentially affected by CVE-2015-7521 via org.apache.hive:hive-service (>=1.0.0 <=1.2.1)

org.apache.hive:hive-service MAVEN version =1.0.0, =2.2.1, =2.2.1, =2.2.1, =2.2.2 - com.ge.research.semtk:sparqlGraphResultsService =2.2.2 and more Source cves: CVE-2015-7521 Source advisory: OSV:GHSA-83R3-C79W-F6WC...

com.alibaba.blink:flink-hcatalog (>=blink-3.2.0 <=blink-3.7.0), com.datasalt.pangool:pangool-examples (>=0.60.0 <=0.70) +46 more potentially affected by CVE-2014-0228 via org.apache.hive:hive-service (>=0.10.0 <=0.13.0)

org.apache.hive:hive-service MAVEN version =0.10.0, =blink-3.2.0, =0.60.0, =1.0.1, =0.2.0, =0.3.0, =0.2.2, =0.2.2, =0.2.6, =0.0.0, =0.9.0, =1.6.4 and more Source cves: CVE-2014-0228 Source advisory: OSV:GHSA-W4X9-4F5X-8JJ8...

Certificate Validation Bypass Due To SSL Vulnerability

hive-service is susceptible to certificate validation bypass. The client bypasses the validation of the common name attribute in the certificate of the server after sending an SSL request to it. Therefore, the client regards the certificate as a valid certificate and proceeds to the SSL handshake...