6.2

CVE-2024-23454

Apache Hadoop: Temporary File Local Information Disclosure

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content.
This is because, on unix-like systems, the system temporary directory is
shared between all local users. As such, files written in this directory,
without setting the correct posix permissions explicitly, may be viewable
by all other local users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHadoop Version < 3.4.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.304
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.2 2.5 3.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-378 Creation of Temporary File With Insecure Permissions

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

https://issues.apache.org/jira/browse/HADOOP-19031
Patch
Vendor Advisory
https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2024/09/25/1
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20241101-0002/
Third Party Advisory