Apache Spark is vulnerable to OS command injection. The vulnerability exists it is possible to impersonate using an arbitrary user name if ACL is enabled, allowing an attacker to provide malicious input to build and execute a Unix shell command arbitrarily.
packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
www.openwall.com/lists/oss-security/2023/05/02/1
github.com/apache/spark/commit/1d524a88f6e93e9971a09f70eb2804dca51d578c
github.com/apache/spark/commit/9cc2ae7804156899850031bd694b1925473fb4cd
github.com/apache/spark/pull/36315
issues.apache.org/jira/browse/SPARK-38992
lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc