Creation of Temporary File in Directory with Insecure Permissions Affecting org.apache.hadoop:hadoop-common package, versions [,3.4.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Creation of Temporary File in Directory with Insecure Permissions vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEHADOOP-8089372
  • published25 Sept 2024
  • disclosed25 Sept 2024
  • creditAndrea Cosentino

Introduced: 25 Sep 2024

CVE-2024-23454  (opens in a new tab)
CWE-379  (opens in a new tab)

How to fix?

Upgrade org.apache.hadoop:hadoop-common to version 3.4.0 or higher.

Overview

org.apache.hadoop:hadoop-common is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models.

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in the RunJar.run() method. If sensitive data is stored in this file, a local attacker can view it by accessing the temporary directory where this data is stored.

Note:

This vulnerability can only be exploited on unix-like systems, where the system temporary directory is shared between all local users.

CVSS Scores

version 4.0
version 3.1