Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges.



Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 19 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Thu, 18 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
References

Fri, 15 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon emr
Vendors & Products Amazon
Amazon emr

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 13 Aug 2025 17:30:00 +0000

Type Values Removed Values Added
Description Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.
Title Privilege escalation issue in Amazon EMR Secret Agent component
Weaknesses CWE-257
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2025-09-19T10:22:13.908Z

Reserved: 2025-08-12T19:43:46.286Z

Link: CVE-2025-8904

cve-icon Vulnrichment

Updated: 2025-08-13T20:34:24.881Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-13T18:15:33.417

Modified: 2025-09-19T11:15:36.217

Link: CVE-2025-8904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-14T12:59:59Z