Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.hive/hive-service@2.3.8
Typemaven
Namespaceorg.apache.hive
Namehive-service
Version2.3.8
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.0.0
Latest_non_vulnerable_version4.0.0
Affected_by_vulnerabilities
0
url VCID-banm-xcds-4uad
vulnerability_id VCID-banm-xcds-4uad
summary 
Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails
Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation.

The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following:
* org.apache.hive:hive-service
* org.apache.spark:spark-hive-thriftserver_2.11
* org.apache.spark:spark-hive-thriftserver_2.12
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23945
reference_id
reference_type
scores
0
value 0.06462
scoring_system epss
scoring_elements 0.91252
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23945
1
reference_url https://github.com/apache/hive
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://github.com/apache/hive
2
reference_url https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://github.com/apache/hive/commit/7638cb1a3b07713cc490aa2909a37037f89e08b4
3
reference_url https://github.com/apache/spark
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://github.com/apache/spark
4
reference_url https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://github.com/apache/spark/commit/cf59b1f51c16301f689b4e0f17ba4dbd140e1b19
5
reference_url https://issues.apache.org/jira/browse/HIVE-9710
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://issues.apache.org/jira/browse/HIVE-9710
6
reference_url https://issues.apache.org/jira/browse/SPARK-14987
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://issues.apache.org/jira/browse/SPARK-14987
7
reference_url https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://lists.apache.org/thread/59r4mv7glrxpwkkdjvjbdljfpx3f5zzc
8
reference_url https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-24T01:50:23Z/
url https://lists.apache.org/thread/5o2ljnzrv8zvhjw9vy7b4rwjpc32hgfc
9
reference_url http://www.openwall.com/lists/oss-security/2024/12/23/2
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/23/2
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23945
reference_id CVE-2024-23945
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23945
11
reference_url https://github.com/advisories/GHSA-77pm-w3hx-f8mj
reference_id GHSA-77pm-w3hx-f8mj
reference_type
scores
url https://github.com/advisories/GHSA-77pm-w3hx-f8mj
fixed_packages
0
url pkg:maven/org.apache.hive/hive-service@4.0.0
purl pkg:maven/org.apache.hive/hive-service@4.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hive/hive-service@4.0.0
aliases CVE-2024-23945, GHSA-77pm-w3hx-f8mj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-banm-xcds-4uad
1
url VCID-gcgn-udwx-xqft
vulnerability_id VCID-gcgn-udwx-xqft
summary 
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization.
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-34538
reference_id
reference_type
scores
0
value 0.00451
scoring_system epss
scoring_elements 0.64028
published_at 2026-06-04T12:55:00Z
1
value 0.00451
scoring_system epss
scoring_elements 0.64079
published_at 2026-06-06T12:55:00Z
2
value 0.00451
scoring_system epss
scoring_elements 0.6407
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-34538
1
reference_url https://github.com/apache/hive
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/hive
2
reference_url https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-34538
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-34538
4
reference_url https://github.com/advisories/GHSA-v3p8-j597-3xg8
reference_id GHSA-v3p8-j597-3xg8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v3p8-j597-3xg8
fixed_packages
0
url pkg:maven/org.apache.hive/hive-service@3.1.3
purl pkg:maven/org.apache.hive/hive-service@3.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-banm-xcds-4uad
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hive/hive-service@3.1.3
aliases CVE-2021-34538, GHSA-v3p8-j597-3xg8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gcgn-udwx-xqft
Fixing_vulnerabilities
0
url VCID-he9j-yvcw-cuet
vulnerability_id VCID-he9j-yvcw-cuet
summary 
Information Exposure
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-1926
reference_id
reference_type
scores
0
value 0.00478
scoring_system epss
scoring_elements 0.65404
published_at 2026-06-05T12:55:00Z
1
value 0.00478
scoring_system epss
scoring_elements 0.65414
published_at 2026-06-06T12:55:00Z
2
value 0.00478
scoring_system epss
scoring_elements 0.65352
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-1926
1
reference_url https://issues.apache.org/jira/browse/HIVE-22708
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/HIVE-22708
2
reference_url https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rd186eedff68102ba1e68059a808101c5aa587e11542c7dcd26e7b9d7%40%3Cuser.hive.apache.org%3E
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-1926
reference_id CVE-2020-1926
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-1926
4
reference_url https://github.com/advisories/GHSA-54g4-5cf6-hjp3
reference_id GHSA-54g4-5cf6-hjp3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-54g4-5cf6-hjp3
fixed_packages
0
url pkg:maven/org.apache.hive/hive-service@2.3.8
purl pkg:maven/org.apache.hive/hive-service@2.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-banm-xcds-4uad
1
vulnerability VCID-gcgn-udwx-xqft
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hive/hive-service@2.3.8
aliases CVE-2020-1926, GHSA-54g4-5cf6-hjp3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-he9j-yvcw-cuet
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.hive/hive-service@2.3.8