Low severityNVD Advisory· Published Sep 25, 2024· Updated Sep 5, 2025

Apache Hadoop: Temporary File Local Information Disclosure

CVE-2024-23454

Description

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Hadoop's RunJar.run() creates temporary files with default world-readable permissions, allowing other local users to access sensitive data.

Vulnerability

Description

Apache Hadoop's RunJar.run() method creates temporary files using File.createTempFile() without explicitly setting POSIX permissions. On Unix-like systems, the system temporary directory (e.g., /tmp) is shared among all local users, so files created there inherit default permissions that may allow any local user to read them [1][2]. This oversight means that if sensitive data is written to these temporary files, it can be exposed to other users on the same host.

Exploitation

An attacker must have local user access to the same Unix-like system where Hadoop's RunJar is executed. No additional authentication or network access is required beyond being a local user. The attacker can simply read the temporary files created in the shared directory, as they lack restrictive permissions [1][2].

Impact

If sensitive information—such as configuration details, credentials, or other confidential data—is present in the temporary file, all other local users may be able to view its contents. Apache rates this vulnerability as low severity [2].

Mitigation

The issue is fixed in Apache Hadoop version 3.4.0. The fix replaces File.createTempFile() with Files.createTempDirectory() using POSIX permissions rwx------, ensuring only the owner can access the temporary directory [4]. Users are advised to upgrade to Hadoop 3.4.0 or later. No workaround is documented.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.hadoop:hadoop-commonMaven	< 3.4.0	3.4.0

Affected products

osv-coords7 versions
pkg:apk/chainguard/apache-nifi pkg:apk/chainguard/apache-nifi-compat pkg:apk/chainguard/apache-nifi-toolkit pkg:apk/wolfi/apache-nifi pkg:apk/wolfi/apache-nifi-compat pkg:apk/wolfi/apache-nifi-toolkit pkg:maven/org.apache.hadoop/hadoop-common
< 2.0.0-r0+ 6 more
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 3.4.0
Apache Software Foundation/Apache Hadoopv5
Range: 0

Patches

8c2836402fbb

HADOOP-19031. Enhance access control for RunJar. (#6427). Contributed by He Xiaoqiao.

https://github.com/apache/hadoopHexiaoqiaoJan 17, 2024via ghsa

commit

1 file changed · +9 −7

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/RunJar.java+9 −7 modified

@@ -28,10 +28,14 @@
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.nio.file.Files;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.Set;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.JarInputStream;
@@ -287,20 +291,18 @@ public void run(String[] args) throws Throwable {
 
     final File workDir;
     try {
-      workDir = File.createTempFile("hadoop-unjar", "", tmpDir);
-    } catch (IOException ioe) {
+      FileAttribute<Set<PosixFilePermission>> perms = PosixFilePermissions
+          .asFileAttribute(PosixFilePermissions.fromString("rwx------"));
+      workDir = Files.createTempDirectory(tmpDir.toPath(), "hadoop-unjar", perms).toFile();
+    } catch (IOException | SecurityException e) {
       // If user has insufficient perms to write to tmpDir, default
       // "Permission denied" message doesn't specify a filename.
       System.err.println("Error creating temp dir in java.io.tmpdir "
-                         + tmpDir + " due to " + ioe.getMessage());
+                         + tmpDir + " due to " + e.getMessage());
       System.exit(-1);
       return;
     }
 
-    if (!workDir.delete()) {
-      System.err.println("Delete failed for " + workDir);
-      System.exit(-1);
-    }
     ensureDirectory(workDir);
 
     ShutdownHookManager.get().addShutdownHook(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f5fw-25gw-5m92ghsaADVISORY
lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfsghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2024-23454ghsaADVISORY
www.openwall.com/lists/oss-security/2024/09/25/1ghsaWEB
github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64ghsaWEB
issues.apache.org/jira/browse/HADOOP-19031ghsaissue-trackingWEB
security.netapp.com/advisory/ntap-20241101-0002ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000