CVE-2022-33891

Warnung

Exploit

EPSS 93.27%
Veröffentlicht 18.07.2022 07:15:07
Zuletzt bearbeitet 30.07.2025 19:07:53
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Spark Version <= 3.0.3

Apache ≫ Spark Version >= 3.1.1 <= 3.1.2

Apache ≫ Spark Version >= 3.2.0 <= 3.2.1

07.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Spark Command Injection Vulnerability

Schwachstelle

Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.27%	0.998

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html

Third Party Advisory

Exploit

VDB Entry

http://www.openwall.com/lists/oss-security/2023/05/02/1

Third Party Advisory

Mailing List

https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-33891

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-33891

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-33891

EUVD