CVE-2024-23454

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-23454
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

6.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://issues.apache.org/jira/browse/HADOOP-19031
https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs
http://www.openwall.com/lists/oss-security/2024/09/25/1
https://security.netapp.com/advisory/ntap-20241101-0002/
Configurations

No configuration.

History

21 Nov 2024, 08:57

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/09/25/1 -
  • () https://security.netapp.com/advisory/ntap-20241101-0002/ -

05 Nov 2024, 20:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.2

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) RunJar.run() de Apache Hadoop no establece permisos para el directorio temporal de forma predeterminada. Si en este archivo se encuentran datos confidenciales, todos los demás usuarios locales podrán ver el contenido. Esto se debe a que, en sistemas tipo Unix, el directorio temporal del sistema se comparte entre todos los usuarios locales. Por lo tanto, los archivos escritos en este directorio, sin establecer explícitamente los permisos posix correctos, pueden ser visibles para todos los demás usuarios locales.

25 Sep 2024, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-25 08:15

Updated : 2024-11-21 08:57

NVD link : CVE-2024-23454

Mitre link : CVE-2024-23454

CVE.ORG link : CVE-2024-23454

JSON object : View

Products Affected

No product.

CWE
CWE-269

Improper Privilege Management