Vulnerability Description
Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-017/
- https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-750-release.html
- https://github.com/advisories/GHSA-hf8h-76fm-735v
FAQ
What is CVE-2025-8904?
CVE-2025-8904 is a vulnerability with a CVSS score of 8.5 (HIGH). Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decr...
How severe is CVE-2025-8904?
CVE-2025-8904 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-8904?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.