Lucene search
Veracode Vulnerability DatabaseVERACODE:40458HistoryMay 10, 2023 - 2:53 a.m.
OS Command Injection
2023-05-1002:53:17
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
10
apache spark
os command injection
httpsecurityfilter
authentication
acls
unix shell command
0.015 Low
EPSS
Percentile
86.8%
Apache Spark is vulnerable to OS command injection. The authentication filter checks if a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter may allow someone to impersonate an arbitrary user name and execute a Unix shell command based on their input.
References
www.openwall.com/lists/oss-security/2023/05/02/1
github.com/advisories/GHSA-59hw-j9g6-mfg3
github.com/apache/spark/commit/1d524a88f6e93e9971a09f70eb2804dca51d578c
issues.apache.org/jira/browse/SPARK-38992
lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv
research.prod.srcclr.io/artifacts/36389
spark.apache.org/security.html
www.cve.org/CVERecord?id=CVE-2022-33891
Related
cnvd
cnvd
Apache Spark Command Injection Vulnerability (CNVD-2023-71729)
2023-05-08 00:00:00
nvd
nvd
CVE-2023-32007
2023-05-02 09:15:10
cve
cve
CVE-2023-32007
2023-05-02 09:15:10
osv
osv
CVE-2023-32007
2023-05-02 09:15:10
Apache Spark UI vulnerable to Command Injection
2023-05-02 09:30:17
PYSEC-2023-72
2023-05-02 09:15:00
attackerkb
attackerkb
CVE-2022-33891
2022-07-18 00:00:00
cvelist
cvelist
CVE-2023-32007 Apache Spark: Shell command injection via Spark UI
2023-05-02 08:37:22
nessus
nessus
Apache Spark <= 3.0.3 / 3.1.1 < 3.1.3 / 3.2.x < 3.2.1 RCE (CVE-2022-33891)
2023-03-10 00:00:00
Apache Spark <= 3.0.3 / 3.1.x > 3.1.1 / 3.2.x < 3.2.1 RCE (CVE-2022-33891)
2023-03-27 00:00:00
prion
prion
Command injection
2023-05-02 09:15:00
github
github
Apache Spark UI vulnerable to Command Injection
2023-05-02 09:30:17
