Apache Hadoop RunJar.run() Fails to Secure Tmp Dir Local User Data Exposure
CVE-2024-23454 Published on September 25, 2024

Apache Hadoop: Temporary File Local Information Disclosure
Apache Hadoops RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-23454 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Creation of Temporary File With Insecure Permissions

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.


Products Associated with CVE-2024-23454

Want to know whenever a new CVE is published for Apache Hadoop? stack.watch will email you.

Apache Hadoop
 

Affected Versions

Apache Software Foundation Apache Hadoop:

Exploit Probability

EPSS
0.10%
Percentile
28.34%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.