Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNWZ3LTI1Z3ctNW05Ms4AA_xF
Apache Hadoop: Temporary File Local Information Disclosure
Apache Hadoop’s RunJar.run()
does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNWZ3LTI1Z3ctNW05Ms4AA_xF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 18 days ago
Updated: 18 days ago
CVSS Score: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-f5fw-25gw-5m92, CVE-2024-23454
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-23454
- https://issues.apache.org/jira/browse/HADOOP-19031
- https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs
- https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64
- https://github.com/advisories/GHSA-f5fw-25gw-5m92
Blast Radius: 14.3
Affected Packages
maven:org.apache.hadoop:hadoop-common
Dependent packages: 2,487Dependent repositories: 22,274
Downloads:
Affected Version Ranges: < 3.4.0
Fixed in: 3.4.0
All affected versions: 0.22.0, 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 0.23.11, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6
All unaffected versions: 3.4.0