CVE-2025-8904

Published Aug 13, 2025

Last updated 9 days ago

CVSS critical 9.0
AWS

Overview

Description
Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.
Source
ff89ba41-3aa1-4d27-914a-91399e9639e5
NVD status
Deferred

Risk scores

CVSS 4.0

Type
Secondary
Base score
9
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
8.5
Impact score
6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

ff89ba41-3aa1-4d27-914a-91399e9639e5
CWE-257

Social media

Hype score
Not currently trending

  1. CVE-2025-8904: Amazon EMR Secret Agent vulnerability. AWS security bulletin. https://t.co/LY4licoprW #AWS #CVE

    @TechBlitzHQ

    12 Jan 2026

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-8904 - Issue with Amazon EMR Secret Agent component https://t.co/roKYwBs3Wn

    @alex_pulver

    8 Sept 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-8904 - Issue with Amazon EMR Secret Agent component https://t.co/T1sxPqroRo #patchmanagement

    @eyalestrin

    14 Aug 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2025-8904: CRITICAL] Users of Amazon EMR should be cautious of potential key decryption issues from the keytab file. Upgrade to EMR version 7.5+ or apply the fix for versions 6.10 - 7.4 as advised.#cve,CVE-2025-8904,#cybersecurity https://t.co/nDiZfBLlOx https://t.co/4SDorB0

    @CveFindCom

    13 Aug 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-8904 Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and anot… https://t.co/SmWghKcWfP

    @CVEnew

    13 Aug 2025

    167 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. CVE-2024-31884
  2. Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5707
  3. Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5708
  4. Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5709
  5. Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing operations. To remediate this issue, users should upgrade to version 2.1.0.0.CVE-2026-35562

References

Sources include official advisories and independent security research.