CVE-2025-8904 | THREATINT

Description

Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.

PUBLISHED Reserved 2025-08-12 | Published 2025-08-13 | Updated 2025-09-19 | Assigner AMZN

CRITICAL: 9.0CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

HIGH: 8.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-257: Storing Passwords in a Recoverable Format

Product status

Default status

unaffected

6.10 before 7.4

affected

References

docs.aws.amazon.com/...ide/emr-release-app-versions-7.x.html release-notes

aws.amazon.com/security/security-bulletins/AWS-2025-017/ vendor-advisory

github.com/advisories/GHSA-hf8h-76fm-735v third-party-advisory

cve.org (CVE-2025-8904)

nvd.nist.gov (CVE-2025-8904)

Download JSON