Creation of Temporary File With Insecure Permissions

CVE-2024-23454

Medium

6.2/10

Summary

Apache Hadoop's "RunJar.run()" does not set permissions for the temporary directory by default. If sensitive data is present in this file, other local users may be able to view its contents. This happens because all local users on Unix-like systems share the system temporary directory. As a result, files written in this directory, without explicitly setting the correct POSIX permissions, may be viewable by all other local users. The issue affects Apache Hadoop versions prior to 3.4.0.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-378 - Creation of Temporary File With Insecure Permissions

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

References

Advisory Timeline

Published Sep 25, 2024

Creation of Temporary File With Insecure Permissions

CVE-2024-23454

Summary

CWE-378 - Creation of Temporary File With Insecure Permissions

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS