CVE-2022-33891

Warning

Exploit

EPSS 93.27%
Published 18.07.2022 07:15:07
Last modified 30.07.2025 19:07:53
Source security@apache.org
Teams watchlist Login
Open Login

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Affected products Warnungen 1 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Spark Version <= 3.0.3

Apache ≫ Spark Version >= 3.1.1 <= 3.1.2

Apache ≫ Spark Version >= 3.2.0 <= 3.2.1

07.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Spark Command Injection Vulnerability

Vulnerability

Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.27%	0.998

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html

Third Party Advisory

Exploit

VDB Entry

http://www.openwall.com/lists/oss-security/2023/05/02/1

Third Party Advisory

Mailing List

https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-33891

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-33891

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-33891

EUVD