Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNWZ3LTI1Z3ctNW05Ms4AA_xF

Apache Hadoop: Temporary File Local Information Disclosure

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

Permalink: https://github.com/advisories/GHSA-f5fw-25gw-5m92
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNWZ3LTI1Z3ctNW05Ms4AA_xF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 27 days ago
Updated: 27 days ago

CVSS Score: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-f5fw-25gw-5m92, CVE-2024-23454
References:

Repository: https://github.com/apache/hadoop
Blast Radius: 14.3

Affected Packages

maven:org.apache.hadoop:hadoop-common

Dependent packages: 2,487
Dependent repositories: 22,274
Downloads:
Affected Version Ranges: < 3.4.0
Fixed in: 3.4.0
All affected versions: 0.22.0, 0.23.1, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 0.23.11, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.10.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6
All unaffected versions: 3.4.0, 3.4.1