TROYANOSYVIRUS
Voltar para CVEs

CVE-2022-33891

HIGHCISA KEV
8.8

Descricao

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Detalhes CVE

Pontuacao CVSS v3.18.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado7/18/2022
Ultima modificacao10/23/2025
Fontekev
Avistamentos honeypot0

CISA KEV

FornecedorApache
ProdutoSpark
Nome da vulnerabilidadeApache Spark Command Injection Vulnerability
Data inclusao KEV2023-03-07
Prazo de remediacao2023-03-28
Uso em ransomwareUnknown

Produtos afetados

apache:spark

Fraquezas (CWE)

CWE-78CWE-78

Referencias

http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html(security@apache.org)
http://www.openwall.com/lists/oss-security/2023/05/02/1(security@apache.org)
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc(security@apache.org)
http://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2023/05/02/1(af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-33891(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.