Apache Hadoop: Temporary File Local Information Disclosure

GHSA-f5fw-25gw-5m92 · CVE-2024-23454

Published Sep 25, 2024 · Modified Feb 4, 2026

Description

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-23454
WEB https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64
PACKAGE https://github.com/apache/hadoop
WEB https://issues.apache.org/jira/browse/HADOOP-19031
WEB https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs
WEB https://security.netapp.com/advisory/ntap-20241101-0002
WEB http://www.openwall.com/lists/oss-security/2024/09/25/1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes