CVE-2025-8904
CVE-2025-8904
9.0
CriticalPublished:
Last updated:
Source:ff89ba41-3aa1-4d27-914a-91399e9639e5
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- High
- Attack Requirements
- Present
- Privileges Required
- Low
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- High
Description
Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.
References
ff89ba41-3aa1-4d27-914a-91399e9639e5
https://aws.amazon.com/security/security-bulletins/AWS-2025-017/ff89ba41-3aa1-4d27-914a-91399e9639e5
https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-750-release.htmlff89ba41-3aa1-4d27-914a-91399e9639e5
https://github.com/advisories/GHSA-hf8h-76fm-735v