{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-23454","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2024-01-17T09:57:28.086Z","datePublished":"2024-09-25T07:45:43.496Z","dateUpdated":"2025-09-05T09:09:36.997Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Hadoop","vendor":"Apache Software Foundation","versions":[{"lessThan":"3.4.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Andrea Cosentino"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Apache Hadoop’s RunJar.run()&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">does not set permissions for temporary directory&nbsp;by default. I</span></span>f sensitive data will be present in this file, all the other local users may be able to view the content.\nThis is because, on unix-like systems, the system temporary directory is\nshared between all local users. As such, files written in this directory,\nwithout setting the correct posix permissions explicitly, may be viewable\nby all other local users.\n</span><br><br>"}],"value":"Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content.\nThis is because, on unix-like systems, the system temporary directory is\nshared between all local users. As such, files written in this directory,\nwithout setting the correct posix permissions explicitly, may be viewable\nby all other local users."}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-378","description":"CWE-378 Creation of Temporary File With Insecure Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-09-05T09:09:36.997Z"},"references":[{"tags":["issue-tracking"],"url":"https://issues.apache.org/jira/browse/HADOOP-19031"},{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs"}],"source":{"defect":["HADOOP-19031"],"discovery":"UNKNOWN"},"title":"Apache Hadoop: Temporary File Local Information Disclosure","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2024/09/25/1"},{"url":"https://security.netapp.com/advisory/ntap-20241101-0002/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-11-01T17:03:09.837Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.2,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-09-25T15:19:22.767501Z","id":"CVE-2024-23454","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-05T20:09:52.739Z"}}]}}