CVE-2025-8904HIGH 8.5EPSS p22.3%

CVE-2025-8904CVE-2025-8904

Description

Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.31% probability of exploitation · percentile 22.3% · 2026-06-19T12:03:05Z
Published2025-08-13
Last modified2026-04-15

Underlying weaknesses· 1

CWE-257

References

  1. https://aws.amazon.com/security/security-bulletins/AWS-2025-017/
  2. https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-750-release.html
  3. https://github.com/advisories/GHSA-hf8h-76fm-735v

1

TypeTargetConfidenceTier
WeaknessStoring Passwords in a Recoverable Formatcwe-2570%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-5709
CVE
CVE-2025-12779
CVE
CVE-2025-33136
CVE
CVE-2025-53900
CVE
CVE-2026-5707
CVE
CVE-2025-59390
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.