PT-2024-6668 · Apache · Apache Hadoop

Andrea Cosentino

Published

2024-09-24

Updated

2026-05-18

CVE-2024-23454

CVSS v3.1

6.2

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Apache Hadoop versions prior to 3.4.0

Description: The issue is related to the RunJar.run() function in Apache Hadoop, which does not set permissions for the temporary directory by default. This allows other local users to view sensitive data written to this directory, as the system temporary directory is shared among all local users on unix-like systems.

Recommendations: For Apache Hadoop versions prior to 3.4.0, update to version 3.4.0 or later to resolve the issue. As a temporary workaround, consider setting the correct posix permissions explicitly for the temporary directory to prevent unauthorized access. Restrict access to sensitive data written to the temporary directory until the issue is resolved.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-378

Related Identifiers

BDU:2024-07870

CLEANSTART-2026-JU62349

CLEANSTART-2026-SQ91016

CLEANSTART-2026-SV95049

CLEANSTART-2026-WK99982

CVE-2024-23454

GHSA-F5FW-25GW-5M92

OESA-2024-2347

OESA-2024-2348

OESA-2024-2349

OESA-2024-2350

OESA-2024-2351

OESA-2025-1038

Affected Products

Apache Hadoop

PT-2024-6668 · Apache · Apache Hadoop

CVE-2024-23454

Weakness Enumeration

Related Identifiers

Affected Products

References · 177