Apache Spark is vulnerable to OS command injection. The authentication filter checks if a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter
may allow someone to impersonate an arbitrary user name and execute a Unix shell command based on their input.
www.openwall.com/lists/oss-security/2023/05/02/1
github.com/advisories/GHSA-59hw-j9g6-mfg3
github.com/apache/spark/commit/1d524a88f6e93e9971a09f70eb2804dca51d578c
issues.apache.org/jira/browse/SPARK-38992
lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv
research.prod.srcclr.io/artifacts/36389
spark.apache.org/security.html
www.cve.org/CVERecord?id=CVE-2022-33891