[MAVEN:GHSA-59HW-J9G6-MFG3] Apache Spark UI vulnerable to Command Injection

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.

Package	Affected Version
pkg:maven/pyspark	>= 3.1.1, < 3.2.2
pkg:maven/org.apache.spark/spark-parent_2.12	>= 3.1.1, < 3.2.2

Package	Fixed Version
pkg:maven/pyspark	= 3.2.2
pkg:maven/org.apache.spark/spark-parent_2.12	= 3.2.2

ID

MAVEN:GHSA-59HW-J9G6-MFG3

Severity

high

URL

https://github.com/advisories/GHSA-59hw-j9g6-mfg3

Published

2023-05-02T09:30:17
(16 months ago)

Modified

2023-11-12T05:00:58
(10 months ago)

Rights

Maven Security Team

Other Advisories

PYSEC-2023-72

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-32007
			https://lists.apache.org/thread/poxgnxhhnzz735kr1wos366l5vdbb0nv
			https://spark.apache.org/security.html
			https://www.cve.org/CVERecord?id=CVE-2022-33891
			http://www.openwall.com/lists/oss-security/2023/05/02/1
			https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2023-72.yaml
			https://github.com/advisories/GHSA-59hw-j9g6-mfg3

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/pyspark		pyspark	>= 3.1.1 < 3.2.2
Fixed	pkg:maven/pyspark		pyspark	= 3.2.2
Affected	pkg:maven/org.apache.spark/spark-parent_2.12	org.apache.spark	spark-parent_2.12	>= 3.1.1 < 3.2.2
Fixed	pkg:maven/org.apache.spark/spark-parent_2.12	org.apache.spark	spark-parent_2.12	= 3.2.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date