CVE-2024-23454: Apache Hadoop: Temporary File Local Information Disclosure

September 25, 2024

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

References

github.com/advisories/GHSA-f5fw-25gw-5m92
github.com/apache/hadoop
github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64
issues.apache.org/jira/browse/HADOOP-19031
lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs
nvd.nist.gov/vuln/detail/CVE-2024-23454

Detect and mitigate CVE-2024-23454 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →