CVE-2025-8904
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-13

Last updated on: 2025-10-14

Assigner: AMZN

Description
Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-13
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-08-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8904
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
amazon emr 6.10
amazon emr 7.5
amazon emr 7.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Amazon EMR Secret Agent component, which creates a keytab file containing Kerberos credentials and stores it in the /tmp/ directory. Because the /tmp/ directory is accessible to users with access to the system, an attacker who can access this directory and has another account could potentially decrypt the Kerberos keys. This could allow the attacker to escalate their privileges on the system. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker with access to the /tmp/ directory and another account to decrypt Kerberos credentials and escalate their privileges. This means the attacker could gain higher-level access than intended, potentially compromising the security and integrity of your Amazon EMR cluster and its data. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if your Amazon EMR cluster is running a version between 6.10 and 7.4 and if the /tmp/ directory contains a keytab file with Kerberos credentials created by the Amazon EMR Secret Agent. A possible command to find such files is: `ls -l /tmp/*.keytab` or `find /tmp/ -name '*.keytab'`. If such files exist and your EMR version is affected, the vulnerability is present. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation steps are to upgrade your Amazon EMR clusters to version 7.5 or higher, which removes the use of /tmp/ as a staging directory for Kerberos credentials. If upgrading immediately is not possible, apply the provided bootstrap script and RPM files containing the fix to your affected clusters as recommended by AWS. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart